IP/Port scanning via Google services

Occasionally we receive reports about Google products that issue network requests to third-party services, with the attacker-controlled destination IP address/port number. Usually the attack scenario mentions a Google product acting as a proxy to perform an IP/port scanning attack. This technique is described in this article.

If the accessed IP addresses are public, we don't consider this to be a vulnerability in itself. In fact, oftentimes it's a legitimate product feature. For example, a feed grabbing application needs to access feeds under a certain user-specified URL. If the only gain for the attackers is the ability to hide their IP address, there are various other ways to do it (e.g. Tor), and the vast majority of the proxy services we have include the original user's IP anyway.

If the concern is Denial of Service, using Google services to port scan is probably suboptimal as several insanely fast port scanners exist and it's up to the target endpoint to appropriately react to the incoming traffic.

Having said that, there are two notable exceptions:

  • If you are consistently able to get us to send repeated requests at a high rate, for the purpose of being a good network citizen, we'd rather fix it, so please tell us.
  • If you're able to fingerprint our internal networks through the public services, or use special protocol handlers like file:// to access the files (use SSRF bible for inspiration), we'd like to know. It's most likely a vulnerability ($$$!).

When in doubt, please send us the report and we'll promptly review it.