.png)
4 months ago
28 BOOK THIS SPACE FOR AD
ARTICLE ADHi,
In this article we will see a flaw in google product gmail as you know gmail is “ one of the most popular email services in the world.” It is used worldwide for many uses some use it in ethical way and some can also use it in unethical way.
But what we are going to see here is basically unethical way, therefor i hereby request that you understand this is only for educational purposes. If you attempt to use this method maliciously, you may find yourself facing serious consequences.
A day started with taught that let’s why not i try to find some bugs on google VRP then without a delay i started exploring all the in-scope items of google VRP.
It’s like almost after 2 hours i found nothing, then i decided that why not let’s try gmail attachment handling request what if we can manipulate it so lead to “Remote code execution”
But when i try to attach the .php it shows me some kind of error that “Virus detected”. This caught my attention that what if we can bypass this restriction by some technique. Then what i began scorching the internet there I found that this can be done using a “HTML file smuggling”.
What is HTML Smuggling?
HTML smuggling is a sophisticated cyberattack technique where attackers embed malicious payloads, such as executable files, within HTML files. These HTML files are then sent as email attachments or delivered through web downloads. The crux of this method lies in its ability to evade detection by security software, which often scans for direct attachments of known dangerous file types, like executables (.exe), (.php), (.dll). By embedding the malicious file within an HTML document as a Binary Large Object (BLOB), attackers can smuggle malware right past security defenses.
Here is short image explanation that how HTML file smuggling works:
Then without waiting a sec, I started to search for the html file smuggling builder luckily i found a github report within a minute that gives you free html file smuggling builder.
Here how you can do it:
Go to https://github.com/eddiechu/File-Smuggling.gitLocate “filesmugglingbuilder.html” on the GitHub repository.Dowload the file.Open the file in any browser.Embedd the harmful virus in that html file. For example a rce file “remote_code.php”Now Download the html file that has been made within that file.Open the gmail and select that new html file as attachment.Now, this will send harmful files in anyone systemNote: I was able to edit this file code in such a way that it automatically execute the .exe in the victims pc which contain a malware, then it was distributed in my local computer.
Then I reported this flaw to google received a automatic message that your report has been received
Here is timeline of google responsivenss.
Reported to google — 31 March 20242. Report identified as Abuse Risk &triaged to Trust & Safety team 3 April 2024
After that long time passed i got no response from google !
Report hasn’t been reviewe team is managing high — 21 May 2024
volume of report
Recived Nice catch 🎉 — 23 May 2024
Happy Happy Happy !!
Here is masterstroke that google surprised me with.
Status: Won’t Fix (Intended Behavior)
NOTE: This is an automatically generated email
Hello,
Our systems show that the bug we created based on your report has been closed without providing a fix.
This may have happened for various reasons: the risk impact might be too small to warrant a fix, there might be other mitigating factors, or simply the product is not maintained anymore.
The exact status is INTENDED_BEHAVIOR. This decision has been made by the relevant product teams and does not affect your VRP reward amount or Leaderboard position.
We can’t provide more details in this automated notification, but we’ll be happy to answer your questions regarding this decision.
Thanks,
Google Security Bot
I was like after accepting the bug and Assigning Severity 2 and priotiy 2 how can google product team do this.
But then i got the answer,
Hey,
It looks to us as the issue you’re describing relies on social engineering, and we think that addressing it would not make our users less prone to such attacks. Please take a look at this for more explanation.
Regarding any potential reward, as mentioned in comment #26 your issue will be reviewed for reward eligibility and the VRP panel will take it up soon.
Thanks,
Google Trust & Safety Team
And Yes google is right, it’s arise from social engineering only and they have mention it in invalid report. for that you can refer this .
Then i have no option left. I just left the hope and started hunting on another program.
But i have not still receive the update regarding the VRP panel reward eliglibity. Let’s see what happens.
Thanks
Hope that i will do better next time and make internet a safer place
Bengali (Bangladesh) · 
English (United States) ·