I discovered a vulnerability in Google Drive last year that allows bypassing the content filter on uploaded files and Google refuses to acknowledge the threat, because my proof of concept demonstrated an open redirect. It bypasses the full content scan, which I later determined also allows me to serve fake Google pages from a Google domain.<p>The bug allowed a malicious actor to share the file, which generated an email from Google containing a link to Google that redirected to payload containing a Gmail worm.<p>I spent an entire weekend reverse engineering the attack and had to wait a month for Google to respond saying they wouldn't fix it, because I mentioned open redirect.<p>PoC: <a href="https://googledrive.com/host/0B8F0jrIiu66GbmFFaGpHOTJ5TUU" rel="nofollow">https://googledrive.com/host/0B8F0jrIiu66GbmFFaGpHOTJ5TUU</a>