Researcher Finds Gmail Does Not Re-Scan Malicious Files Shared via Google Drive Links

A security researcher demonstrated that Gmail can apply a "Scanned by Gmail" label to emails containing links to malicious files hosted on Google Drive even after the same file was blocked by Gmail's attachment scanner, Forbes reported. Ben Ilkashi, a security researcher at Pentera Labs, exclusively shared his research with Forbes.

Ilkashi uploaded a malicious SVG sample that Gmail had already flagged as "virus detected" and prevented from being sent directly.

He then configured the file on Google Drive to be accessible to anyone with the share link. Gmail did not re-scan the malicious file hosted on Google Drive when included via link in a new email. Instead, it applied a "Scanned by Gmail" label.

Google Drive marks malicious files as "Flagged for abuse," prevents anyone aside from the author from downloading them, and shows a warning interstitial. Pentera Labs published Ilkashi’s research following a 90-day responsible disclosure period. On January 22, Google’s Trust and Safety unit confirmed that no fix timeline was available, according to Ilkashi.

The unit also stated that the decision regarding disclosure timing was up to Pentera Labs. A proof-of-concept video demonstrated the method using a crafted ransomware executable that employs xor-based encryption. txt in the same directory.

Google Drive has an estimated one billion active users. Google is actively updating the user interface to clarify how safety checks are displayed when files are shared via Google Drive links. " The research highlighted an architectural misalignment within Google’s unified security framework.

This enables malware otherwise explicitly blocked by Gmail’s attachments scanner to be hosted on Drive and delivered alongside a "Scanned by Gmail" label of trust. The flaw stems from Gmail granting implicit trust to files originating from Google Drive.