Re: Spammers Using storage[.]googleapis[.]com ?!!?

[Adrien JOLIBERT <jolibert () gmail com>]

Quite an old trick becoming popular.
So yep, the stuff is hosted on one of the google services in private mode; redirections gives you a valid token to 
access.

> Le 3 août 2021 à 19:35, Nick Boyce <nick.boyce () gmail com> a écrit :
>
> I notice that among the spam in my Gmail spam folder, there are a
> number of "address-check" type messages (i.e. that just seek
> confirmation my address exists), which attempt to get their response
> by performing a scripted redirect via a web property belonging to
> Google ...... and I tend to think "Huh? ... Surely Google wouldn't let
> that happen ... is this redirect something that by some chance they
> don't know about ?".
>
> Every link in the spam has the following HREF:
>
> https://storage[.]googleapis[.]com/medya00/redirectDOM80.html#[long-alphanum-string-that-presumably-identifies-me]
>
> The contents of 'redirectDOM80.html' just sets document.location.href
> to somewhere else, passing on the ID string.
>
> I won't include any of the above spam's boilerplate, but it's offering
> to let me check my "public records" so that I can find out what other
> people might know about me.
>
> So does anybody know WTF ?   Is this some unfortunate side-effect of a
> Google service that can't be avoided (I have no real idea what the
> purpose of 'storage[.]googleapis[.]c' might be), or is this in fact
> some dreadful snafu on the part of some Google sysadmin somewhere ?
>
> There's some useless discussion of what sounds like the same thing, here:
> https://community.norton.com/en/forums/storagegoogleapiscom
> but it's the very idea of there being an open redirect in a Google web
> property that astonishes me.
>
> These Google support tickets from 2020 suggest that anybody can store
> anything they want as a second-level URI within s.g.c, and that
> malicious artifacts are commonly stored there, and that Google is
> blissfully ignorant of it until each individual artifact is reported,
> and that even then Google doesn't care and does nothing:
> https://support.google.com/webmasters/thread/29210246/storage-googleapis-abuse-report?hl=en
> https://support.google.com/webmasters/thread/24437958/does-google-take-actions-with-regards-to-reported-cloud-storage-abuse-reports?hl=en
> ..... but I can't quite believe it - surely they vet incoming traffic
> ?  Allowing the upload of arbitrary HTML to their own domain is ....
> well .. [head explodes].
>
> FWIW, people complain that Amazon AWS is also abused in the same way.
>
> [No, I haven't bothered to let Google know directly - all of my
> attempts to let them know about other minor issues with their services
> have just resulted in a deafening silence - but I will try if folks
> think I should.]
>
> Cheers
> Nick
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/