lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Mar 2014 18:43:39 +0100
From: ┼╣micier Januszkiewicz <gauri@....by>
To: Brandon Perry <bperry.volatile@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Google vulnerabilities with PoC

: you could upload huge blobs and just take up space on the google servers.
How many people upload gigabytes of crappy videos on google servers,
hourly? So far, the DDoS didn't happen for some reason, even
considering the amount of users. There is a small potential to exploit
this via a botnet, but what's the gain? YT upload breaks? Wow, so much
win.

By the way, why not just upload some valid, generated on the fly MPEG
stream? The effect is the same if you consider the data amount, but
without all the "unrestricted" shouts and academic vulnerabilities.


2014-03-13 18:33 GMT+01:00 Brandon Perry <bperry.volatile@...il.com>:
> If you were evil, you could upload huge blobs and just take up space on the google servers. Who knows what will happen if you upload a couple hundred gigs of files. They dont disappear, they are just unretrievable afaict. It is a security risk in the sense that untrusted data is being persisted *somewhere*.
>
> Upload a couple terabytes, cause a DoS because some hdd in the DC fills up. Who knows.
>
> Sent from a computer
>
> On Mar 13, 2014, at 12:28 PM, Michal Zalewski <lcamtuf@...edump.cx> wrote:
>
>>> The only reasonable way to 'exploit' the bug is using youtube as a
>>> "personal storage" uploading non-video files to your own profile: so what?
>>
>> That would require a way to retrieve the stored data, which - as I
>> understand - isn't possible here (although the report seems a bit
>> hard-to-parse). From what I recall, you can just upload a blob of data
>> and essentially see it disappear.
>>
>> We do have quite a few services where you can legitimately upload and
>> share nearly-arbitrary content, though. Google Drive is a good
>> example.
>>
>> /mz
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists