folder Filed in General, PoC Gallery
Google Drive: Bad implemented Logic leads to trivial bypass of any "Large File Download Quota Limits"!
Mohamed A. Baset comment 0 Comments access_time 2 min read

TL;DR Today’s bug is a trivial bypass one which if exploited will give the attacker the ability to download a large file regardless of the quota limits that Google put in place as a mitigation/control for any kind of abuse.

Steps to Reproduced The steps to reproduce is so trivial as we described the bug in the title before:

1. Go to a large-size shared file on Google Drive.

2. Try to download it

3. You will get “Download quota exceeded for this file, so you can’t download it at this time.”

4. To get over this “quota error”, Click “DOWNLOAD ALL”

The Expected Behavior Google must check the files if it has a quota limits or not then perform the “Zipping and Downloading” procedures.

What is really happening Files are normally downloaded from the endpoint (https://doc-XX-XX-drive-data-export.googleusercontent.com) and a Direct download link will be available for the file regardless of the quota state.

Side comments

Of course other users technically are able to perform “Make a copy” of the file to get it on their own Google Drive then download it but in our demonstration we are showing a “restriction bypass” since no one now can do the old trick of altering the “uc” with “open” in a url like this one: https://drive.google.com/[uc]?id=XXX&export=download (that one was an old trick to download a quota exceeded file)

PoC Video

(please fast-forward the video since it’s a long and boring one, i was waiting for google servers to give me back the files)

The Abusing Scenario

As per Google’s “Too many users have viewed or downloaded this file recently. Please try accessing the file again later. If the file you are trying to access is particularly large or is shared with many people, it may take up to 24 hours to be able to view or download the file. If you still can’t access a file after 24 hours, contact your domain administrator.” Google want to narrow the abuse, so abusing this would be against its policy.

One last word

If you are a developer and working on something similar this is a free advice for you, first before start coding a new feature follow the flow-chart of your business logic, go through all the check points before performing any actions/changes.

Stay safe, Until the next one…

A minute if you please!

Building a website, an application or any kind of business? Or already have one? Worried about your security? Think twice before going public and let us protect your business!

Bypass Download Drive File Google Google Drive Large Limits Quota

Leave a Reply

Your email address will not be published. Required fields are marked *


Cancel Post Comment

Translate this blog