Bitcoin Forum
November 19, 2019, 02:37:30 AM *
News: 10th anniversary art contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Potential forum exploit using Google Docs  (Read 183 times)
hybridsole
Hero Member
*****
Offline Offline

Activity: 933
Merit: 752


In Memory of Zepher


View Profile
March 05, 2019, 03:09:53 PM
Last edit: March 05, 2019, 04:15:14 PM by hybridsole
Merited by dbshck (5), suchmoon (4), Pmalek (1), mjglqw (1)
 #1

This morning I received emails from the forum containing attachments.  It was strange but I realized what occurred. The OP who made a new post, included a google doc link.  Gmail users automatically see google doc files as attachments in their emails.

What's concerning is that, while Gmail scans these docs files for malware, there could be remote code hidden that remains undetected, or any number of advanced attacks through this mechanism.  And users receiving an email from the forum may be more likely to click the attachment.  I'm not sure what the potential fix is, but just wanted to give people a heads up that this type of attachment could reach anyone's inbox who is watching a subforum or thread and gets email alerts.  

1574131050
Hero Member
*
Offline Offline

Posts: 1574131050

View Profile Personal Message (Offline)

Ignore
1574131050
Reply with quote  #2

1574131050
Report to moderator
1574131050
Hero Member
*
Offline Offline

Posts: 1574131050

View Profile Personal Message (Offline)

Ignore
1574131050
Reply with quote  #2

1574131050
Report to moderator
1574131050
Hero Member
*
Offline Offline

Posts: 1574131050

View Profile Personal Message (Offline)

Ignore
1574131050
Reply with quote  #2

1574131050
Report to moderator
The Bitcoin Forum is turning 10 years old! Join the community in sharing and exploring the notable posts made over the years.
1574131050
Hero Member
*
Offline Offline

Posts: 1574131050

View Profile Personal Message (Offline)

Ignore
1574131050
Reply with quote  #2

1574131050
Report to moderator
Silent26
Sr. Member
****
Offline Offline

Activity: 574
Merit: 322


Politeness: 1227: - 0 / +1


View Profile
March 05, 2019, 03:30:06 PM
 #2

I've never received email from Bitcointalk forum that includes an attachment like that, hmm it's kinda strange. But who knows if its normal? Anyway, is that attachment some sort of spreadsheet? DMD 4th Year S? Is it "Student"?

Edit.
Oh letter S stands for "Silvercoin". I found it out after looking at this spreadsheet (which seems like a normal spreadsheet) https://docs.google.com/spreadsheets/d/1c3sZBd36Ln-ulEY4xFuu4RF9SyT-_jUykeJNMSYYwow/htmlview in this thread [WTS] ultra rare only 99 pieces existing 3oz gold plated silvercoin

404 Not Found
hybridsole
Hero Member
*****
Offline Offline

Activity: 933
Merit: 752


In Memory of Zepher


View Profile
March 06, 2019, 02:09:00 AM
 #3

Yes in this instance there appears to be no ill will.  But the fact remains that Gmail is the ubiquitous email platform, and this gives the impression that the "Bitcoin Forum" is sending an attachment within an email. 

The exploit could occur as follows:

1. Attacker creates a remote code execution script within a Google Spreadsheet that bypasses Gmail's virus scanner.
2. Attacker makes posts to popular threads containing the link to their document.
3. Automated email is triggered to all who follow threads which contains the from "Bitcoin Forum", with this large green clickable attachment.
4. Attacker could then edit their post and replace the document with a link to a benign document to obscure what just happened.
5. All users watching the targeted threads with a Gmail account has an email containing a malware attachment from the forum.

bL4nkcode
Copper Member
Hero Member
*****
Offline Offline

Activity: 1358
Merit: 793


Happy 10th anniversary Bitcointalk!


View Profile WWW
March 06, 2019, 03:29:00 AM
 #4

AFAIK all docs related to google platform e.g. docs, forms, sheets, youtube vids, etc., shows as clickable in forum's email once it's included in the thread you notified. But the thing I observed is gmail automatically detected once the doc's/links contained with malware or it automatically go to spam folder but it doesn't mean that attackers cannot exploit this type of attacks so I guess theymos should do something for that.

..bustadice..         ▄▄████████████▄▄
     ▄▄████████▀▀▀▀████████▄▄
   ▄███████████    ███████████▄
  █████    ████▄▄▄▄████    █████
 ██████    ████████▀▀██    ██████
██████████████████   █████████████
█████████████████▌  ▐█████████████
███    ██████████   ███████    ███
███    ████████▀   ▐███████    ███
██████████████      ██████████████
██████████████      ██████████████
 ██████████████▄▄▄▄██████████████
  ▀████████████████████████████▀
                     ▄▄███████▄▄
                  ▄███████████████▄
   ███████████  ▄████▀▀       ▀▀████▄
               ████▀      ██     ▀████
 ███████████  ████        ██       ████
             ████         ██        ████
███████████  ████     ▄▄▄▄██        ████
             ████     ▀▀▀▀▀▀        ████
 ███████████  ████                 ████
               ████▄             ▄████
   ███████████  ▀████▄▄       ▄▄████▀
                  ▀███████████████▀
                     ▀▀███████▀▀
           ▄██▄
           ████
            ██
            ▀▀
 ▄██████████████████████▄
██████▀▀██████████▀▀██████
█████    ████████    █████
█████▄  ▄████████▄  ▄█████
██████████████████████████
██████████████████████████
    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
    ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
       ████████████
......Play......
libert19
Full Member
***
Online Online

Activity: 854
Merit: 114


First 100% Liquid Stablecoin Backed by Gold


View Profile WWW
March 06, 2019, 04:20:35 AM
 #5

I've never received email from Bitcointalk forum that includes an attachment like that, hmm it's kinda strange. But who knows if its normal? Anyway, is that attachment some sort of spreadsheet? DMD 4th Year S? Is it "Student"?

Edit.
Oh letter S stands for "Silvercoin". I found it out after looking at this spreadsheet (which seems like a normal spreadsheet) https://docs.google.com/spreadsheets/d/1c3sZBd36Ln-ulEY4xFuu4RF9SyT-_jUykeJNMSYYwow/htmlview in this thread [WTS] ultra rare only 99 pieces existing 3oz gold plated silvercoin

I think op had notifications turned on for his selling thread, and someone replied with attachement there, and he received email for that with attachement.


Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!