Downloaded 62 times
Uploaded byAjin Abraham
Abusing Google Apps and Data API: Google is My Command and Control Center
The document discusses potential abuses of Google Apps and Data API, with various methods for email bombing, phishing, and botnet communication using Google technologies. It highlights the use of Google Apps Script, Data URI, and Google Spreadsheets for malicious activities, including a prototype bot named 'xbot' that utilizes these services for command and control. The conclusion emphasizes the danger of exploiting seemingly innocent services and notes the lack of security measures like CAPTCHA on Google Forms.
More Related Content
![[OPD 2019] Inter-application vulnerabilities](https://cdn.slidesharecdn.com/ss_thumbnails/interapplicationvulnerabilities-mszydlowski-191021171552-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Abusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps and Data API: Google is My Command and Control Center
- 1. Abusing Google Apps& Data API Google is my C2.
- 2. #whoami www.opensecurity.in Information Security Enthusiast Founderof OWASP Xenotix XSS Exploit Framework Strong supporter of Free and Open Information Security Education. Runs a DEFCON chapter at Kerala. Another Leaner.
- 4. disclaimer All third partyimages are the property of their respective owners. Just pointing out how some innocent services can be abused. I am not responsible for anything.
- 5. Agenda Intro Abusing AppScript fore-mail bombing Data URI + Google Forms + TinyURL = Phishing Variant Google Spreadsheet + DATA API = A Botnet Communication Channel xBOT : A prototype Bot Conclude
- 6.
- 7. Email Bombing: theold ways Methods of e-bombing Open Relay servers PHP/ASP/JSP Mail Functions Misconfigured Mail Sending features in Web Apps Now blocked by services like Gmail, Live, Yahoo etc. E-bombs will end up in SPAM folder.
- 8. Google AppScript Google AppsScript is a JavaScript cloud scripting language.
- 9. AppScript : ClassMailApp
- 10.
- 11.
- 12. Data URI Data URIPhishing was described by “Henning Klevjer” in his Paper Data URI allows you to include data in-line in web pages via URL data:text/html,<body>hi</body> data:text/html;base64,PGJvZHk+aGk8L2JvZHk+
- 13. DATA URI +Google Forms + Tiny URL = Beauty Combining all these stuff gives a beautiful Phishing Attack. A Perfect addition to Social Engineering.
- 14. Basic Idea http://tinyurl.com/fb data:text/html,<body>hi</body> Google Spreadsheet credentials Injectedwith our JavaScript FB Server
- 15. JavaScript to dothe work
- 16.
- 17. Channelizing Google SpreadSheet GoogleSpreadSheet can store data online. You can export the contents of the spreadsheet as json, rss and tsv Read and Write remotely SSL Hmmm! What else you want?
- 18. Selecting the rightURL format Execution Time Data Length 9 600000 8 500000 7 6 400000 5 300000 4 3 200000 2 100000 1 0 0 JSON RSS Data Length TSV Source JSON RSS TSV Execution Time Source
- 20. What is xBOT? xBOTis a PoC bot. Uses Google Spreadsheet and Forms to implement it’s Communication Channel. Uses Google DATA API to extract the commands. Use a third party server for file hosting.
- 21. xBOT Architecture Command andControl Send Commands Google Form Google Spreadsheet File URL Send Response File Upload File Hosting xbot.py xBOT Victim Get Commands Every 4 Sec
- 22.
- 23. Conclusion Nasty things canbe built over Innocent stuffs. These are some possible ways an attacker could use. Interesting Fact: There is no captcha for Google Forms. That’s all
- 24.