Potential forum exploit using Google Docs

libert19

hero member

Activity: 2520

Merit: 952

Quote from: Silent26 on March 05, 2019, 11:30:06 AM

I've never received email from Bitcointalk forum that includes an attachment like that, hmm it's kinda strange. But who knows if its normal? Anyway, is that attachment some sort of spreadsheet? DMD 4th Year S? Is it "Student"?

Edit.
Oh letter S stands for "Silvercoin". I found it out after looking at this spreadsheet (which seems like a normal spreadsheet) https://docs.google.com/spreadsheets/d/1c3sZBd36Ln-ulEY4xFuu4RF9SyT-_jUykeJNMSYYwow/htmlview in this thread [WTS] ultra rare only 99 pieces existing 3oz gold plated silvercoin

I think op had notifications turned on for his selling thread, and someone replied with attachement there, and he received email for that with attachement.

bL4nkcode

copper member

Activity: 2142

Merit: 1305

Limited in number. Limitless in potential.

AFAIK all docs related to google platform e.g. docs, forms, sheets, youtube vids, etc., shows as clickable in forum's email once it's included in the thread you notified. But the thing I observed is gmail automatically detected once the doc's/links contained with malware or it automatically go to spam folder but it doesn't mean that attackers cannot exploit this type of attacks so I guess theymos should do something for that.

hybridsole

hero member

Activity: 943

Merit: 783

In Memory of Zepher

Yes in this instance there appears to be no ill will. But the fact remains that Gmail is the ubiquitous email platform, and this gives the impression that the "Bitcoin Forum" is sending an attachment within an email.

The exploit could occur as follows:

1. Attacker creates a remote code execution script within a Google Spreadsheet that bypasses Gmail's virus scanner.
2. Attacker makes posts to popular threads containing the link to their document.
3. Automated email is triggered to all who follow threads which contains the from "Bitcoin Forum", with this large green clickable attachment.
4. Attacker could then edit their post and replace the document with a link to a benign document to obscure what just happened.
5. All users watching the targeted threads with a Gmail account has an email containing a malware attachment from the forum.

Silent26

sr. member

Activity: 602

Merit: 327

Politeness: 1227: - 0 / +1

I've never received email from Bitcointalk forum that includes an attachment like that, hmm it's kinda strange. But who knows if its normal? Anyway, is that attachment some sort of spreadsheet? DMD 4th Year S? Is it "Student"?

Edit.
Oh letter S stands for "Silvercoin". I found it out after looking at this spreadsheet (which seems like a normal spreadsheet) https://docs.google.com/spreadsheets/d/1c3sZBd36Ln-ulEY4xFuu4RF9SyT-_jUykeJNMSYYwow/htmlview in this thread [WTS] ultra rare only 99 pieces existing 3oz gold plated silvercoin

hybridsole

hero member

Activity: 943

Merit: 783

In Memory of Zepher

This morning I received emails from the forum containing attachments. It was strange but I realized what occurred. The OP who made a new post, included a google doc link. Gmail users automatically see google doc files as attachments in their emails.

What's concerning is that, while Gmail scans these docs files for malware, there could be remote code hidden that remains undetected, or any number of advanced attacks through this mechanism. And users receiving an email from the forum may be more likely to click the attachment. I'm not sure what the potential fix is, but just wanted to give people a heads up that this type of attachment could reach anyone's inbox who is watching a subforum or thread and gets email alerts.

Topic: Potential forum exploit using Google Docs (Read 289 times)