Reflected Filename Download on Google

WS201510 – Reflected Filename Download on Google
by David Sopas @dsopas


I found a Reflected Filename Download on Google API – Google UDS [User Distributed Search].
For me it was a challenge and a pleasure to find this because so far I only discovered Reflected Filename Download vulnerabilities in JSON files.
People need to consider that RFD is not a JSON issue.
You can find these type of vulnerabilities in other types too – like this one on Javascript.

The security issue is located at:

And here:

Where you can inject and manipulate the response using the file variable.
The problem is that even if the file/module don’t exists it returns HTTP code 200.

var error = new Error(“Module: ‘dont_exists’ not found!”);
error.toString = function() { return this.message; }
throw error;



Reflecting URL variables with HTTP code 200 is not always a good idea and gave me the opportunity to issue a RFD attack.

var error = new Error(“Module: ‘gdata\”||start chrome\/malware.htm –disable-web-security –disable-popup-blocking||’ not found!”);
error.toString = function() { return this.message; }
throw error;

So the Reflected part is done. Now I only need to control the filename. Due to filename restritions on the Google path I need to use HTML5 A DOWNLOAD attribute to do this. Due to this situation “only” the following browsers are supported:

– Chrome
– Opera
– Android Browser
– Chrome for Android
– Firefox [forcing the user to “Save Link As” – done with simple javascript return:false;]

What this RFD attack will do is when the user click on the download link will get a file supposed to be on [a trusted domain] gaining credibility from the victim.


Google replied:

The reward panel reviewed this finding and decided that it does not meet the bar for a financial reward, but we would like to acknowledge your contribution
to Google security in our Hall of Fame. A general perspective on the issue is shared here:
That said, we do appreciate your report and would like to add you to our Hall of Fame available at the following URL:

This didn’t got me any bounty but they were nice enough to give me a Honorable Mention – my second one :)


16 Mar 15 – Submited to Google
18 Mar 15 – Google filed the bug
07 Apr 15 – Google replied
08 Apr 15 – Full disclosure

Achaste interessante? Partilha!