Google User Content CDN
News | 07/20/2018

Malware Delivered using Google User Content CDN

About: Hackers have a adopted a new tactic to carry out malicious activities. The malicious code is hidden inside the metadata fields of images hosted on Google's official CDN (Content Delivery Network). The photos uploaded on Google+ social network and Bl...  Read More  

| News | Malware Delivered using Google User Content CDN

Google User Content CDN

Content Delivery Network (CDN) providers are now targets of cyber miscreants to inject malicious payloads in the victim’s PC.

Before we go further let us first acquaint ourselves with the term Content Delivery Network (CDN).

When a user requests to view news, or to visit a shopping site or watch YouTube videos, he may expect latency to load the web page. The delay is caused by a number of factors, the important among them being the physical distance between the user and the website’s hosting server.

This is where CDN’s role comes into picture. Its mission is to shorten this physical distance to improve site rendering performance and speed. CDN stores a cached version of the content in multiple geographical locations.

CDN is a network of distributed servers that is in charge of content delivery. Web pages or other web contents are delivered to the users on the basis of their geographic locations.

For instance, when a request is made by a user to view a web page, a server node closest in user proximity delivers cached website content quickly and reliably , thereby reducing latency.

How is Google User Content CDN used to deliver the malicious code?

Google User Content CDN

Web Security firm Sucuri (now part GoDaddy) recently discovered that, images hosted on Google’s official CDN are injected with a malicious code inside the metadata fields.

The photos uploaded on Google+ social network and sites are the images usually hosted on this domain.

The culprit behind the act is still not known. It’s difficult to identify where the images originate from as the URLs of the images have the same format and are anonymized.

Google User Content CDN: Modus Operandi

Modus Operandi was carried out that focused on the steal of PayPal security tokens. PayPal is an online money transaction website user to transfer money in a quick and easy way.

Cyber miscreants accomplished this by injecting a malicious code in the EXIF (Exchangeable image file format) “UserComment” metadata field of an image and loading the same on

Exif, is a standard that specifies the formats for images and sounds used by scanners and other systems handling image and sound files.

To complement Image Description, User Comment EXIF tag are used that contains Keywords or comments on the image.

The code contained in that field was a Base64-encoded string. When decoded it ended up being a malicious script that could upload a webs hell (A script uploaded to a web server to enable remote administration of the machine) along with various other files on the compromised server. The script could be used to vandalize the server.

Challenges to remove the image

As GoogleUserContent CDN was used to host the images with a pernicious script, researchers are finding it a major challenge to get the image removed.

According to Google’s security policies, contents that are found malicious can be reported and easily removed but there is no way to report the images with malicious script. There is a form set up to report copyright infringement, but not security issues related to malevolent images.

Furthermore security scans of the images are usually ignored by most web based security cameras which is a major problem allowing cyber miscreants to take advantage of that. The tools scan for malware in text based files such as PHP, HTML etc but not metadata of images loaded on websites.


Hits: 345

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866