A new security hole has been discovered on the Google+ servers that would allow potential hackers to make DDos using Google’s Bandwidth.
Google+ has been under testing for quite sometime now and a tester at an Italian Security firm has reported that the Google+ servers can be used to make DDos requests to other websites.
The original sighting of this reports can be seen at IHTeam Security Blog by Simone Quatrini. He demonstrates how users can make use of Google’s server to act as a proxy and fetch content of any desired website. It is also noted that Google’s servers are more anonymous than other servers.
[alert_box] Update: I can confirm that Google is aware of this bug and their Security team is working towards it![/alert_box]
He has mentioned two methods, one which uses /_/sharebox/linkpreview/. This method will not expose your IP address to the Apache servers’ log. But the other method, gadgets/proxy? seems to exposing your IP address to the Apache server.
The team has also posted a shell script that would allow you to execute the vulnerability. The script prompts the Google’s servers to make request to a website and the major part to note is that, it will use Google’s bandwidth rather than yours. There are some other methods to execute this in a safe way, but I’m not going to expose it.
You can specify any type of file you want to download via Google’s servers and make a DDos attach quick and simple!
[alert_box type=”Error”] Note to Google: Please fix this vulnerability soon. Many many many sites can go down with this simple method. [/alert_box] [Source: The Hacker News]