The so-called "Reflected File Download" technique is a technique that allows attackers to force the browser to initiate a file download from a given origin with partially controlled content. For example, this could be used to create a social engineering attack in which users trust that the file is a legitimate software installer coming from a trusted website.

We understand this attack technique, but at the same time believe it's not a very practical one. When making a decision on whether to execute a file, users rely on the context in which the file download was initiated, and not on where the file was actually hosted. In some browsers, this information is not even displayed by default, and users can see it only on a Downloads page. So, while Reflected File Download could be used to create a social engineering attack, there are other, more practical ways to achieve the same goal.

Conclusion

Reports using social engineering attack techniques usually fall out of the scope of Google's Vulnerability Reward Program, so it's likely we won't file a bug or issue a reward for reports indicating locations where Reflected File Download could be used. Before sending a report, please remember to include a realistic attack scenario, preferably one that doesn't require social engineering.