Archived Blog
Web 2.0 - Abuse of Functionality
06.30.2008 - 9:00 AMMalware
Google allows users to upload files to their sites or blogs. Google Sites appears to prevent uploading malicious executables, as seen here after such an attempt:
However, only the file extension is checked, not the actual file header or its contents. Hence, if the extension is renamed to .jpg, the file can be hosted and retrieved with a typical malware downloader. This ability is illustrated below, as executable files start with an MZ header:
Google Pages, on the other hand, actually allows executable uploads. The screenshot below, taken from our ThreatSeeker technology, shows this functionality being abused in the wild:
Malicious Script
Google Sites prevents some input of malicious HTML or scripts as seen here:
However, similar checking does not seem to be performed across all properties, as seen by a simple persistent XSS (cross-site scripting) example here on a Blogger/Blogspot website:
Google is not being hacked, but is simply susceptible to the uploading of malicious code or files.