Google’s servers can be used by cyber attackers to launch DDoS attacks, claims Simone “R00T_ATI” Quatrini, a penetration tester for Italian security consulting firm AIR Sicurezza.
Quatrini discovered that two vulnerable pages – /_/sharebox/linkpreview/ and gadgets/proxy? – can be used to request any file type, which Google+ will download and show – even if the attacker isn’t logged into Google+.
By making many such request simultaneously – which he managed to do by using a shell script he’s written – he practically used Google’s bandwidth to orchestrate a small DDoS attack against a server he owns.
He points out that his home bandwidth can’t exceed 6Mbps, and that the use of Google’s server resulted in an output bandwidth of at least 91Mbps.
“The advantage of using Google and make requests through their servers, is to be even more anonymous when you attack some site (TOR+This method); The funny thing is that apache will log Google IPs,” says Quatrini. “But beware: igadgets/proxy? will send your IP in apache log, if you want to attack, you’ll need to use /_/sharebox/linkpreview/.”
He says he has discovered the flaws that allow the attack on August 10 and that he contacted Google’s Security center about it. After 19 days of receiving no reply from Google, he published his findings.