Abusing Google Apps and Data API: Google is My Command and Control Center
Abusing Google Apps & Data API
Google is my C2.
Information Security Enthusiast
Founder of OWASP Xenotix XSS Exploit Framework
Strong supporter of Free and Open Information Security
Runs a DEFCON chapter at Kerala.
All third party images are the property of their
Just pointing out how some innocent services
can be abused.
I am not responsible for anything.
Abusing AppScript for e-mail bombing
Data URI + Google Forms + TinyURL = Phishing Variant
Google Spreadsheet + DATA API = A Botnet
xBOT : A prototype Bot
Email Bombing: the old ways
Methods of e-bombing
Open Relay servers
PHP/ASP/JSP Mail Functions
Misconfigured Mail Sending features in Web Apps
Now blocked by services like Gmail, Live, Yahoo etc.
E-bombs will end up in SPAM folder.
Data URI Phishing was described by “Henning Klevjer” in his Paper
Data URI allows you to include data in-line in web pages via URL
DATA URI + Google Forms + Tiny URL = Beauty
Combining all these stuff gives a beautiful Phishing Attack.
A Perfect addition to Social Engineering.
Channelizing Google SpreadSheet
Google SpreadSheet can store data online.
You can export the contents of the spreadsheet as
json, rss and tsv
Read and Write remotely
What else you want?
Selecting the right URL format
What is xBOT?
xBOT is a PoC bot.
Uses Google Spreadsheet and Forms to implement
it’s Communication Channel.
Uses Google DATA API to extract the commands.
Use a third party server for file hosting.
Command and Control
Every 4 Sec