A security penetration tester at Italian security firm AIR Sicurezza Informatica has claimed that flaws exist in Google’s servers that will allow would-be hackers to exploit the search giant’s bandwidth and launch a distributed denial-of-service (DDoS) attack on a server of their choosing.
On the IHTeam Security Blog, Simone Quatrini, also known as R00T.ATI, demonstrates how users can make Google’s servers act as a proxy to fetch content on their behalf. Quatrini has written a shell script that will repeatedly prompt Google’s servers to make requests to a site of the attacker’s choice, effectively using Google’s bandwidth rather than their own.
Through a video and on the blog, he demonstrates the output bandwidth of an attack on his own server, of about 91Mbps. He claimed that his home bandwidth allows only 6Mbps.
Quatrini claimed to have contacted Google Security about the matter on 10 August, and UK computer security student Ryan Dewhurst claimed to have also alerted Google to the flaw on 24 July. Dewhurst tweeted the vulnerability publicly on 25 August after receiving no response.
ZDNet Australia contacted Google for comment, but the search giant was unable to respond at the time of publication.
Sebastien Jeanquier, principal consultant at information security firm Stratsec, told ZDNet Australiathat the flaw wasn’t inherently special and that proxies were fairly common on the internet.
“If anything, Google will notice [attack attempts] and probably blacklist you.”