Archived Blog

Web 2.0 - Abuse of Functionality

06.30.2008 - 9:00 AM

When users are given privileges such as directly editing HTML or uploading files, security issues are bound to arise. This power is being abused by phishers and malicious authors to steal personal information or compromise computers. Below we detail current abuses of Google properties such as Google Sites, Google Pages, and Blogger in terms of hosting malware and exploit code.

Malware

Google allows users to upload files to their sites or blogs. Google Sites appears to prevent uploading malicious executables, as seen here after such an attempt:

However, only the file extension is checked, not the actual file header or its contents. Hence, if the extension is renamed to .jpg, the file can be hosted and retrieved with a typical malware downloader. This ability is illustrated below, as executable files start with an MZ header:

Google Pages, on the other hand, actually allows executable uploads. The screenshot below, taken from our ThreatSeeker technology, shows this functionality being abused in the wild:

Malicious Script

Google Sites prevents some input of malicious HTML or scripts as seen here:

However, similar checking does not seem to be performed across all properties, as seen by a simple persistent XSS (cross-site scripting) example here on a Blogger/Blogspot website:

Google is not being hacked, but is simply susceptible to the uploading of malicious code or files.

Bookmark This Post: