Googleusercontent

From Free Knowledge Base- The DUCK Project: information for everyone
Revision as of 22:07, 11 January 2024 by Littleguy (Talk | contribs)

Jump to: navigation, search

googleusercontent

googleusercontent.com

There is a security risk involved. The problem is that because legitimate services rents use of this particular Google Cloud system, googleusercontent.com, it is difficult to discern what active connections to hosts on the domain are not malicious. The Google Cloud system in question is also being used by data thieves, hackers, and corporate logistics operations just to name a few. An active connection on your idle system could indicate an intruder, or simply be part of Firefox, or the operating system updater. COMPANIES SHOULD NOT USE SERVICES FROM GOOGLE CLOUD as the same system is being used for malicious activity. Google is making insufficient effort to keep the criminals from using the system also.

Hackers have found a way to share malware via trusted and reliable Google servers like those of googleusercontent. googleusercontent is Google’s domain for serving user-supplied content without affecting the safety of Google’s own pages.

"bc.googleusercontent.com" is Google computing cloud.

bc.googleusercontent.com

bc originates from Google Compute Engine (Google cloud) That does not have to be from Google itself. It is a service anyone can use.

Recently, Google has started storing images in a new domain, called googleusercontent.com. This domain is used for a variety of purposes, including cached copies of websites visited by the Google search engine, but the general purpose of this domain appears to be to store static content: i.e. content that is not expected to change.

You also need to take into account the 1st bit of that:

bc.googleusercontent.com

bc originates from Google Compute Engine (Google cloud) That does not have to be from Google itself. It is a service anyone can use.

Some other services that are from Google:

   lh3.googleusercontent.com Used for loading images for Google+.
   lh5.googleusercontent.com Used for loading images for Google+.
   lh6.googleusercontent.com Used for loading images for Google+.
   s3.googleusercontent.com Used for loading favicons for AdWords ads.
   static.googleusercontent.com
   themes.googleusercontent.com Used for loading font files for Google Fonts. (Generally called within CSS from fonts.googleapis.com)
   translate.googleusercontent.com Google Translation Service


There are different servers hosting Google user content, it's looks like they are on lh[1-6].googleusercontent.com, and with different prefixes.

For example, a picture in a Google Maps review will gives this URL : https://lh5.googleusercontent.com/p/AF1QipO_dHIeVRPSIqwxu3VQY7n0rh_R_6oH92NKSJzE And their prefixes will be "AF1Qip",

And Google profile pictures will starts with "AOh14G" :

We can also note that Google Photos / Albums URLs are also starting with "AF1Qip" :

Mozilla Firefox using googleusercontent.com

Mozilla uses the Google Cloud Platform for Firefox components. It is rented server capacity. Extensions can use googleusercontent.com to host some of their data files.

Ubuntu Canonical using googleusercontent.com

Ubuntu using googleusercontent.com

  • connectivity-check.ubuntu.com

Ubuntu's Connectivity checking is a NetworkManager functionality that allows periodic checks to see if the system can access the internet. This is in poor taste by the developers of NetworkManager as it creates what might appear as suspicious looking connections to a domain that is known to host malware and other types of misuse.

Recommended Solution for Ubuntu / Mint Linux Users: disable Network Manager connectivity checks

  • You can disable connectivity checking inside the menu: Preferences -> System settings -> Privacy -> Connectivity.

In the System Settings dialog under "Internet connectivity" is an ON/OFF toggle with the description: "Check that network connections can reach the Internet. This makes it possible to detect captive portals, but also generates periodic network traffic."

You DO NOT NEED nor benefit from connectivity checks if you are on your home computer connected to your own LAN or on an office computer connected to an office LAN, especially if connected via an Ethernet cable as opposed to wireless. It is best to disable it unless you are using a laptop and plan on visiting an Internet Cafe (or public wifi)!

  • You can keep it enabled and have it use a different host/domain as an alternative to googleusercontent.com
sudo vi /usr/lib/NetworkManager/conf.d/20-connectivity-ubuntu.conf

Look for:

[connectivity]
uri=http://connectivity-check.ubuntu.com./

The system settings are stored using /var/lib/NetworkManager/NetworkManager-intern.conf and read after /etc/NetworkManager/conf.d/20-connectivity-ubuntu.conf

sudo cat  /var/lib/NetworkManager/NetworkManager-intern.conf

Ref: External Source

Lets see if connectivity-check.ubuntu.com is really at bc.googleusercontent.com

Simple testing to do at console:

$ host connectivity-check.ubuntu.com
connectivity-check.ubuntu.com has address 34.122.121.32
connectivity-check.ubuntu.com has address 185.125.190.49
connectivity-check.ubuntu.com has address 185.125.190.17
connectivity-check.ubuntu.com has address 35.232.111.17
connectivity-check.ubuntu.com has address 185.125.190.48
connectivity-check.ubuntu.com has address 35.224.170.84
connectivity-check.ubuntu.com has address 91.189.91.49
connectivity-check.ubuntu.com has address 91.189.91.48
connectivity-check.ubuntu.com has address 185.125.190.18
connectivity-check.ubuntu.com has IPv6 address 2620:2d:4000:1::23
connectivity-check.ubuntu.com has IPv6 address 2620:2d:4000:1::2b
connectivity-check.ubuntu.com has IPv6 address 2001:67c:1562::24
connectivity-check.ubuntu.com has IPv6 address 2001:67c:1562::23
connectivity-check.ubuntu.com has IPv6 address 2620:2d:4000:1::22
connectivity-check.ubuntu.com has IPv6 address 2620:2d:4000:1::2a

Ok lets reverse the first IP returned...

$ host 34.122.121.32
32.121.122.34.in-addr.arpa domain name pointer 32.121.122.34.bc.googleusercontent.com.

And so on. Ubuntu paying google for use of shady googleusercontent.com.