Gmail attachment filter bypass

Some researchers point out that they are able to upload various files considered as malicious to our services. A common example is the ability to upload blacklisted file types as Gmail attachments by e.g. compressing the file multiple times, or by changing the file extension.

Gmail service file attachment scanners aim to prevent various attacks on Gmail users, but are necessarily imperfect. There will always be a combination of operating system and applications used by certain users, that make certain file types executable (for example - PHP files or script files of various languages may execute arbitrary commands, if user has a given interpreter installed). Similarly, seemingly benign image or video files may trigger memory corruption vulnerabilities in image or video parsers.

We don’t consider the Gmail attachment filter (or similar solutions in our other services) to be sufficient protection mechanism against such attacks. While they may stop simple vectors, they are not designed to be a comprehensive solution protecting against all files downloaded off the Internet, especially if a certain amount of social engineering is involved to trick the victim into causing the payload to execute.

Reports pointing out Gmail attachment filter bypasses are rarely accepted by Google VRP. As always, a realistic attack scenario and affected user base are taken into consideration when evaluating such reports.