R00T.ATI claimed that he found some DDOS vulnerability in Google + on IHTeam Security Blog. Using this vulnerability, hackers can launch DDOS attack on any other website using the Bandwidth of Google Plus Server.
They demonstrate how an attacker can use the Google Server as Proxy to send request to the target website. Quatrini has written a shell script that will repeatedly prompt Google's servers to make requests to a site of the attacker's choice, effectively using Google's bandwidth rather than their own.
How does it work?
The vulnerable pages are “/_/sharebox/linkpreview/“ and “gadgets/proxy?“
Is possible to request any file type, and Google + will download and show all the content. So, if you parallelize so many requests, is possible to DDoS any site with Google bandwidth. Is also possible to start the attack without be logged in Google
plus.
But beware: gadgets/proxy? will send your ip in apache log, if you want to attack, you’ll need to use /_/sharebox/linkpreview/
Pen Tester tried DDOS on his server itself using GOOGLE Plus Server, thread of 1000 requests and the output bandwidth will result in 91/96Mbps (His house bandwidth is only 6Mbps).
They demonstrate how an attacker can use the Google Server as Proxy to send request to the target website. Quatrini has written a shell script that will repeatedly prompt Google's servers to make requests to a site of the attacker's choice, effectively using Google's bandwidth rather than their own.
How does it work?
The vulnerable pages are “/_/sharebox/linkpreview/“ and “gadgets/proxy?“
Is possible to request any file type, and Google + will download and show all the content. So, if you parallelize so many requests, is possible to DDoS any site with Google bandwidth. Is also possible to start the attack without be logged in Google
plus.
Attack vectors:
The advantage of using Google and make requests through their servers, is to be even more anonymous when you attack some site (TOR+This method); The funny thing is that apache will log Google IPs.But beware: gadgets/proxy? will send your ip in apache log, if you want to attack, you’ll need to use /_/sharebox/linkpreview/
Pen Tester tried DDOS on his server itself using GOOGLE Plus Server, thread of 1000 requests and the output bandwidth will result in 91/96Mbps (His house bandwidth is only 6Mbps).