'Google App Engine' Abused to Create Unlimited Phishing Pages (bleepingcomputer.com) 7
Google's cloud-based service platform for developing and hosting web apps "can be abused to deliver phishing and malware while remaining undetected by leading enterprise security products," reports Bleeping Computer, citing a startling discovery by security researcher Marcel Afrahim:
A Google App Engine subdomain does not only represent an app, it represents an app's version, the service name, project ID, and region ID fields. But the most important point to note here is, if any of those fields are incorrect, Google App Engine won't show a 404 Not Found page, but instead show the app's "default" page (a concept referred to as soft routing)...
Essentially, this means there are a lot of permutations of subdomains to get to the attacker's malicious app. As long as every subdomain has a valid "project_ID" field, invalid variations of other fields can be used at the attacker's discretion to generate a long list of subdomains, which all lead to the same app... The fact that a single malicious app is now represented by multiple permutations of its subdomains makes it hard for sysadmins and security professionals to block malicious activity.
But further, to a technologically unsavvy user, all of these subdomains would appear to be a "secure site." After all, the appspot.com domain and all its subdomains come with the seal of "Google Trust Services" in their SSL certificates. Even further, most enterprise security solutions such as Symantec WebPulse web filter automatically allow traffic to trusted category sites. And Google's appspot.com domain, due to its reputation and legitimate corporate use cases, earns an "Office/Business Applications" tag, skipping the scrutiny of web proxies.
Essentially, this means there are a lot of permutations of subdomains to get to the attacker's malicious app. As long as every subdomain has a valid "project_ID" field, invalid variations of other fields can be used at the attacker's discretion to generate a long list of subdomains, which all lead to the same app... The fact that a single malicious app is now represented by multiple permutations of its subdomains makes it hard for sysadmins and security professionals to block malicious activity.
But further, to a technologically unsavvy user, all of these subdomains would appear to be a "secure site." After all, the appspot.com domain and all its subdomains come with the seal of "Google Trust Services" in their SSL certificates. Even further, most enterprise security solutions such as Symantec WebPulse web filter automatically allow traffic to trusted category sites. And Google's appspot.com domain, due to its reputation and legitimate corporate use cases, earns an "Office/Business Applications" tag, skipping the scrutiny of web proxies.
cloud services (Score:3)
I'm not sure how any company can run a public cloud service and not run into this problem. Like spam, its going to be a game of constant whack-a-mole. I see regular phishing attempts from cloud platforms. Some cloud services make it hard to complain - its easier to tell the FCC or FTC, hope they enjoy the fallout when it comes their way, it may take a while but it will eventually bubble up.
Not surprised that yet another cloud service can be easily exploited.
Re:cloud services (Score:5, Insightful)
> ". if any of those fields are incorrect, Google App Engine won't show a 404 Not Found page, but instead show the app's "default" page (a concept referred to as soft routing)"
Not doing that would be a good start. No resource at a given URL? 404. End of. None of this "Oh, I'll just assume you made a typo coz Erlz is hrrd, so here's a page that does work" crap.
Re:cloud services (Score:5, Interesting)
Sign of web consolidation (Score:2)
Re:Sign of web consolidation (Score:4, Insightful)
If we stopped training people to think that looking at a URL is too hard, maybe they would do it.
But that would prevent Google from walled-gardening with their spiffy icons and bright colors.