Posted by On agosto - 29 - 2011 37 Comments

Discovered on 10 Aug 2011
Google Security center contact: 10 Aug 2011
Response from the Google Security center: N/A
Published: 29 Aug 2011 (GMT +1)

How does it work?
The vulnerable pages are /_/sharebox/linkpreview/ and gadgets/proxy?
Is possible to request any file type, and G+ will download and show all the content. So, if you parallelize so many requests, is possible to DDoS any site with Google bandwidth. Is also possible to start the attack without be logged in G+.

Attack vectors:
The advantage of using Google and make requests through their servers, is to be even more anonymous when you attack some site (TOR+This method); The funny thing is that apache will log Google IPs.
But beware: gadgets/proxy? will send your ip in apache log, if you want to attack, you’ll need to use /_/sharebox/linkpreview/

Also the Sql injection Time attack will work using this method.
DDoS attack is just an example, do not start ddos for no reason

Pratical examples:
https://plus.google.com/_/sharebox/linkpreview/?c=<SITE>&t=1&_reqid=<RANDOM_NUMBERS>&rt=j
or
https://images2-focus-opensocial.googleusercontent.com/gadgets/proxy?url=<SITE>&container=focus


UPDATE 1:  _/sharebox/linkpreview has been fixed on 01 Sep 2011 at 15.20 (GMT +1)… no communication from Google at the moment
UPDATE 2: Reply message from G Security team on 02 Sep 2011 at 00:36 (GMT +1):

Hello

Apologies for missing this one - "mea culpa" for not responding to your
email. 

As you've noticed, we've made a few tweaks to the existing abuse detection
and prevention mechanisms that were already in place. Thanks for your
assistance!

Cheers,
Adam

UPDATE 3: Some lamerz used this kind of attack to increase bandwidth bill in Amazon cloud (http://www.behind-the-enemy-lines.com/2012/04/google-attack-how-i-self-attacked.html)
Video guide:

In this example i start a thread of 1000 requests and the output bandwidth will result in 91/96Mbps (my house bandwidth is only 6Mbps). This is my server, do not start to ddos around for no reason!

+DDoS source code download:

http://iht.li/p/tdQt2t

Share

  • RSS
  • Delicious
  • Digg
  • Facebook
  • Twitter
  • Linkedin

37 Responses so far.

  1. ethicalhack3r scrive:

    I emailed security@google.com on July 24th after discovering the “gadgets/proxy?” bug.

    I too did not receive a response.

    I disclosed the vulnerability publicly on Twitter on the 25th of August.

    http://twitter.com/#!/ethicalhack3r/status/106759659779670017

  2. Hmmm scrive:

    Maybe they didn’t answer you, but they fixed it.

  3. Black scrive:

    Confirmed working and not fixed.

  4. BreakThesec scrive:

    They didn’t fixed yet?! I think they didn’t notice this vulnerability. Now will they notice .

  5. hashashin scrive:

    Can you use the bug for casual surfing??

    • r00t scrive:

      Yes, i think is possible. Content will return to you… so yes!

      • hashashin scrive:

        Since a p.txt file containing the HTML content for the requested site is returned using gadgets/proxy, I was thinking a grease-monkey script to convert the text file to HTML and also request further content from the URL.

        Any thoughts of how I can be able to surf using the bug.

  6. D3 scrive:

    Nice find. From my past experience google and facebook usually ignore such mails and only respond when its abused on large scale.

  7. Fabio scrive:

    Una curiosità Simone, quale applicazione utilizzi nella seconda tab del terminale?
    Comunque google ha di queste “uscite”, cioè ignorare avvisi di vulnerabilità. Vediamo se in seguito a molteplici segnalazioni e articoli come questo ed altri, si decideranno ad ascoltare e fixare.

  8. mistic scrive:

    I’m trying on my server but I cant get it to work Im using Cygwin when I enter bash script.sh my.server 1000 it says that it started but my server is fine… and the output bandwidth doesnt show any results…

  9. mistic scrive:

    without nohup and one request there is error
    syntax error near unexpected token ‘$'{\r”

  10. mistic scrive:

    I download it again same thing it says Sending 1000 requests but nothing happens… About the Usage: big file Requests what do you mean by big file? I only enter the ip addres…

  11. mbah_google scrive:

    how to use it? just run _154785695367_+ddos.sh file?

    in source _154785695367_+ddos.sh not be edited?

    reply me soon

  12. anonimo33 scrive:

    Great Job…i was thinking something similar to you,but in my case in the webpage of University

  13. activelive scrive:

    Dear all, how can I join ihteam?

  14. brol scrive:

    /_/sharebox/linkpreview/ does not work any more.

    /gadgets/proxy still works, but we can detect the user-agent and block it

  15. Andres scrive:

    i´m super sorry. I entered this page one week ago, and it was down, but i can still see it, because you use one service… could you tell what that service is you use? (some backup uptime web page… or somenthing).
    Thanks (and sorry again, as you said in other coments, this is not a school to explain everithing, but i think i could really use some service like that, you have).

  16. evilkid scrive:

    hey,
    i tried ur script using cygwin, but im getting an error each time i try to execute it :
    http://s891.photobucket.com/albums/ac114/evilkidaz/cygwin.jpg

    any idea?

  17. josh scrive:

    Confirmed working. They hasn’t fixed it yet. It’s been 8 months.

    Anyway, we got a free fast proxy :)

    Thanks

  18. Sharmil scrive:

    Dear,

    The last attack which you have shown in the video with loop of icmp echo requests is out dated and does not work any more in almost all of the servers quite literally. Because most servers are now configured to block icmp requests from a particular ip above the critical limit. So after some requests, your echo request would not be responded and blocked.

    And the one which happened incidentally to mr. panos has much more probability to work if you find a script to generate the list of all image urls from a web page or the whole website because google in this case acts as a human agent i.e. acts on behalf of you so it will not be restricted by the server.

    But the challenging thing here is to generate the list of all image urls on the particular site to execute this attack successfully.

  19. psil0cybin scrive:

    Does this still work? 2013? or has this been fixed?


*