Author

Topic: Potential forum exploit using Google Docs (Read 297 times)

hero member
Activity: 2520
Merit: 952
March 05, 2019, 11:20:35 PM
#5
I've never received email from Bitcointalk forum that includes an attachment like that, hmm it's kinda strange. But who knows if its normal? Anyway, is that attachment some sort of spreadsheet? DMD 4th Year S? Is it "Student"?

Edit.
Oh letter S stands for "Silvercoin". I found it out after looking at this spreadsheet (which seems like a normal spreadsheet) https://docs.google.com/spreadsheets/d/1c3sZBd36Ln-ulEY4xFuu4RF9SyT-_jUykeJNMSYYwow/htmlview in this thread [WTS] ultra rare only 99 pieces existing 3oz gold plated silvercoin

I think op had notifications turned on for his selling thread, and someone replied with attachement there, and he received email for that with attachement.

copper member
Activity: 2142
Merit: 1305
Limited in number. Limitless in potential.
AFAIK all docs related to google platform e.g. docs, forms, sheets, youtube vids, etc., shows as clickable in forum's email once it's included in the thread you notified. But the thing I observed is gmail automatically detected once the doc's/links contained with malware or it automatically go to spam folder but it doesn't mean that attackers cannot exploit this type of attacks so I guess theymos should do something for that.
hero member
Activity: 943
Merit: 783
In Memory of Zepher
Yes in this instance there appears to be no ill will.  But the fact remains that Gmail is the ubiquitous email platform, and this gives the impression that the "Bitcoin Forum" is sending an attachment within an email. 

The exploit could occur as follows:

1. Attacker creates a remote code execution script within a Google Spreadsheet that bypasses Gmail's virus scanner.
2. Attacker makes posts to popular threads containing the link to their document.
3. Automated email is triggered to all who follow threads which contains the from "Bitcoin Forum", with this large green clickable attachment.
4. Attacker could then edit their post and replace the document with a link to a benign document to obscure what just happened.
5. All users watching the targeted threads with a Gmail account has an email containing a malware attachment from the forum.

sr. member
Activity: 602
Merit: 327
Politeness: 1227: - 0 / +1
I've never received email from Bitcointalk forum that includes an attachment like that, hmm it's kinda strange. But who knows if its normal? Anyway, is that attachment some sort of spreadsheet? DMD 4th Year S? Is it "Student"?

Edit.
Oh letter S stands for "Silvercoin". I found it out after looking at this spreadsheet (which seems like a normal spreadsheet) https://docs.google.com/spreadsheets/d/1c3sZBd36Ln-ulEY4xFuu4RF9SyT-_jUykeJNMSYYwow/htmlview in this thread [WTS] ultra rare only 99 pieces existing 3oz gold plated silvercoin
hero member
Activity: 943
Merit: 783
In Memory of Zepher
This morning I received emails from the forum containing attachments.  It was strange but I realized what occurred. The OP who made a new post, included a google doc link.  Gmail users automatically see google doc files as attachments in their emails.

What's concerning is that, while Gmail scans these docs files for malware, there could be remote code hidden that remains undetected, or any number of advanced attacks through this mechanism.  And users receiving an email from the forum may be more likely to click the attachment.  I'm not sure what the potential fix is, but just wanted to give people a heads up that this type of attachment could reach anyone's inbox who is watching a subforum or thread and gets email alerts.  

Jump to: