Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Google

'Google App Engine' Abused to Create Unlimited Phishing Pages (bleepingcomputer.com) 7

Google's cloud-based service platform for developing and hosting web apps "can be abused to deliver phishing and malware while remaining undetected by leading enterprise security products," reports Bleeping Computer, citing a startling discovery by security researcher Marcel Afrahim: A Google App Engine subdomain does not only represent an app, it represents an app's version, the service name, project ID, and region ID fields. But the most important point to note here is, if any of those fields are incorrect, Google App Engine won't show a 404 Not Found page, but instead show the app's "default" page (a concept referred to as soft routing)...

Essentially, this means there are a lot of permutations of subdomains to get to the attacker's malicious app. As long as every subdomain has a valid "project_ID" field, invalid variations of other fields can be used at the attacker's discretion to generate a long list of subdomains, which all lead to the same app... The fact that a single malicious app is now represented by multiple permutations of its subdomains makes it hard for sysadmins and security professionals to block malicious activity.

But further, to a technologically unsavvy user, all of these subdomains would appear to be a "secure site." After all, the appspot.com domain and all its subdomains come with the seal of "Google Trust Services" in their SSL certificates. Even further, most enterprise security solutions such as Symantec WebPulse web filter automatically allow traffic to trusted category sites. And Google's appspot.com domain, due to its reputation and legitimate corporate use cases, earns an "Office/Business Applications" tag, skipping the scrutiny of web proxies.

This discussion has been archived. No new comments can be posted.

'Google App Engine' Abused to Create Unlimited Phishing Pages

Comments Filter:
  • by awwshit ( 6214476 ) on Sunday September 27, 2020 @09:50AM (#60547876)

    I'm not sure how any company can run a public cloud service and not run into this problem. Like spam, its going to be a game of constant whack-a-mole. I see regular phishing attempts from cloud platforms. Some cloud services make it hard to complain - its easier to tell the FCC or FTC, hope they enjoy the fallout when it comes their way, it may take a while but it will eventually bubble up.

    Not surprised that yet another cloud service can be easily exploited.

    • Re:cloud services (Score:5, Insightful)

      by mrbester ( 200927 ) on Sunday September 27, 2020 @10:41AM (#60547974) Homepage

      > ". if any of those fields are incorrect, Google App Engine won't show a 404 Not Found page, but instead show the app's "default" page (a concept referred to as soft routing)"

      Not doing that would be a good start. No resource at a given URL? 404. End of. None of this "Oh, I'll just assume you made a typo coz Erlz is hrrd, so here's a page that does work" crap.

  • When only a few sites end up being trusted, abusing those site's trust is inevitable. Similar how Mozilla's centralized Firefox send got abused. Just wait for the endgame where an exploit in the Google.com homepage is exploited with all the amount of javascript and trackers that are being used.

Time is the most valuable thing a man can spend. -- Theophrastus

Working...