Attackers would LOVE having the ability to upload executable files to domains like Google.com, Facebook.com, and Bing.com. How cool would it be for them if their files are downloaded without ever being uploaded! Yes, download without upload! RFD is a new web based attack that extends reflected attacks beyond the context of the web browser. Attackers can build malicious URLs which once accessed, download files, and store them with any desired extension, giving a new malicious meaning to reflected input, even if it is properly encoded. Moreover, this attack allows running shell commands on the victim’s computer.
How bad is it? By using this attack on Google.com, Bing.com and others, I created the first cross-social-network worm that is downloadable from trusted sites like Google.com, completely disables same-origin-policy, steals all browser cookies, and spreads itself throughout all social networks such as Facebook, Twitter, Google+, and LinkedIn.