TL;DR Today’s bug is a trivial bypass one which if exploited will give the attacker the ability to download a large file regardless of the quota limits that Google put in place as a mitigation/control for any kind of abuse.
Steps to Reproduced
The steps to reproduce is so trivial as we described the bug in the title before:
1. Go to a large-size shared file on Google Drive.
2. Try to download it
3. You will get “Download quota exceeded for this file, so you can’t download it at this time.”
4. To get over this “quota error”, Click “DOWNLOAD ALL”
The Expected Behavior
Google must check the files if it has a quota limits or not then perform the “Zipping and Downloading” procedures.
What is really happening
Files are normally downloaded from the endpoint (https://doc-XX-XX-drive-data-export.googleusercontent.com) and a Direct download link will be available for the file regardless of the quota state.
Of course other users technically are able to perform “Make a copy” of the file to get it on their own Google Drive then download it but in our demonstration we are showing a “restriction bypass” since no one now can do the old trick of altering the “uc” with “open” in a url like this one:
(that one was an old trick to download a quota exceeded file)
(please fast-forward the video since it’s a long and boring one, i was waiting for google servers to give me back the files)
The Abusing Scenario
As per Google’s “Too many users have viewed or downloaded this file recently. Please try accessing the file again later. If the file you are trying to access is particularly large or is shared with many people, it may take up to 24 hours to be able to view or download the file. If you still can’t access a file after 24 hours, contact your domain administrator.” Google want to narrow the abuse, so abusing this would be against its policy.
One last word
If you are a developer and working on something similar this is a free advice for you, first before start coding a new feature follow the flow-chart of your business logic, go through all the check points before performing any actions/changes.
Stay safe, Until the next one…
A minute if you please!
Building a website, an application or any kind of business? Or already have one? Worried about your security? Think twice before going public and let us protect your business!