Get best of the week

Download and store files of any size on Google Drive for free. Bug or feature?

I recently found a weird feature in Google Drive. A certain sequence of actions in the Google Drive web interface leads to the fact that everyone can upload files of any size to their account and at the same time not spend a single byte to store them.

Of course, I immediately decided to report it to Google through the BugHunter program . But, to my regret, having spent a week communicating with Google experts, I was not able to convince them that this was a bug. The employee was unable to reproduce this bug and I received a response that “this is not a bug, but a feature” and I was sent to RTFM. In the end, Google just closed the ticket and stopped responding to my emails.

Since the correspondence with Google has reached an impasse, I decided to publicly talk about this “feature” and, perhaps, finally draw the attention of Google employees to this problem or at least understand what I'm doing wrong. Below under the cat is the history of correspondence with Google and proof of concept.

Here is the report I sent to Google.
Summary: Service abuse: Free unlimited file storage, space counting error

Steps to reproduce:

  1. Create a new google drive account
  2. File "Getting started" appeared
  3. Right click on the file, click on "Manage Versions"
  4. Upload any amount of files as a new version of "Getting started", no space counting, even with "keep forever" checked for that file.

Browser / OS: Any

Attack scenario:

Any regular user can do that with google drive user interface or experienced user via google drive api. A user can upload unlimited amount of files without any payments and store files forever for free.
As is clear from the text, in order to reproduce the problem, you need to create a new account. Then go to google drive and find the file “Getting started”, which is created automatically in each new account.

The first thing that immediately struck me was that the size of this file is 1MB, but it takes 0 bytes.

image

This was strange since PDF is not a Google Drive native storage format and should use a common limit. It was clear that the service somehow excluded this file from the list to count the place. Simple copying of the file led to the fact that the file began to weigh real megabytes.

However, as it turned out, if instead of copying a file just downloading a new version, this new version will still occupy 0 bytes.

Before publishing this article, I repeated the experiment with a new account and successfully loaded 17GB into an account with a limit of 15GB without any problems.

In Google Drive, you can select the option “save all versions”, I checked, if you select it, then all versions of the file are saved and do not waste space.

image

Thus, by simple tricks you can store any number of files of any size in Google Drive.

Unfortunately, a Google employee was unable to reproduce this issue and asked me to make a video:
Hey,

We're closing this bug, as you didn't provide enough details for us to determine what the security issue you're reporting. Feel free to update this report with additional details.

We tried to replicate it and wasn't able to, if you think you were able to feel free to share a proof of concept in a video.

If you didn't provide this yet, please include the reproduction steps (https://sites.google.com/site/bughunteruniversity/improve/help-us-reproduce-the-bug), an attack scenario (https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario) and a short explanation why do you believe this is a technical security vulnerability.

Thanks!
Google Trust & Safety
I made a video from my test account in my Google Apps domain with a limit of 15GB.

And after a while I got this answer:
Hello,

Thanks for the POC, we noticed in the video you shared it is associated with Gsuite account visible on the right top of the video screen.
For more information on G suite storage limit please visit. support.google.com/a/answer/172541?hl=en

Your report is now * closed *

Thanks!
Google Trust & Safety
My further attempts to contact Google were unsuccessful, I tried to write another comment, attached the video from the POC from a regular account again, but the response was only silence.

In conclusion, I want to say that I participated in Yandex BugBounty quite a lot and always received excellent feedback on all of my submitted reports. Unfortunately, Google, in my opinion, is very strange about such messages. Most likely, this is my first and last attempt to send information about a bug in Google applications with such feedback.

PS Link to report , if Google employees are suddenly present on Habr, perhaps they will be able to clarify what I did wrong.

UPDATE 02.26.2020:
Today the bug was rediscovered. Thanks to all!
image

More articles:


All Articles