Reflected File Download

So called "Reflected File Download" is a technique that allows the attacker to force the browser to initiate a file download from a given origin with partially-controlled content. That might be used to create a social engineering attack, in which users trust that the file is e.g. a legitimate software installer coming from a website users trust.

We understand this attack technique, but at the same time believe it's not a very practical one. When making a decision on whether to execute a file, users rely on the context in which the file download was initiated, and not on where the file was actually hosted. In some browsers, this information is not even displayed by default, and one can see it only in a Downloads page. RFD can be used to create a social engineering attack, but there are other, more practical ways to achieve the same.

Reports using social engineering attack techniques usually fall out of scope of Google's Vulnerability Reward Program, so it's likely we won't file a bug or issue a reward for places where one could use RFD. Before sending a report please remember to include a realistic attack scenario, preferably, one that doesn't require social engineering.