Google Cloud has provided the following information in response to our request for comment:
- Google Cloud Platform's Terms of Service and product policies prohibit the spreading of malicious content using our services, and we work diligently to prevent and proactively address abuse. The URLs mentioned in this report have been suspended.
- Whenever a user attempts to proceed to an untrusted site, we warn them of known malicious URLs through Google Safe Browsing filters and other reported abuse.
- We also allow users to report abuse of Google Cloud services here.
A researcher has discovered a quirk in the way Google App Engine handles subdomains that could allow scammers to conduct email phishing campaigns undetected.
In legitimate scenarios, Google App Engine is used to develop and host web applications. However, according to security researcher Marcel Afrahim, the cloud-based platform can also be abused to bypass security controls and funnel victims to malicious landing pages.
The issue lies in the way the platform generates subdomains and routes visitors. By setting up a raft of invalid subdomains, all of which redirect automatically to a central malicious application, attackers can conceal their activity with ease.
- Here's our list of the best web development tools out there
- Check out our list of the best antivirus services right now
- We've built a list of the best email clients available
Traditionally, security professionals shield users from malicious applications by identifying and blocking requests to and from dangerous subdomains. However, the way Google App Engine generates subdomain URLs makes this process much more challenging.
Each subdomain created using the platform contains a marker that indicates the app version, service name, project ID and region ID. But if any of these pieces of information is invalid - providing the project ID is correct - the subdomain redirects automatically to a default page instead of serving a 404 error message.
This practice, known as soft routing, could allow scammers to create a vast pool of subdomains, all of which lead to a single malicious landing page. The attempts of security professionals, meanwhile, are hindered by the sheer volume of subdomains that lead to the dangerous page.
“Requests are received by any version that is configured for traffic in the targeted service. If the serving that you are targeting does not exist, the request gets soft routed,” explained Afrahim.
“If a request matches the PROJECT_ID.REGION_ID.r.appspot.com portion of the hostname, but includes a service, version or instance name that does not exist, then the request is routed to the default service, which is essentially your default hostname of the app.”
According to security researcher Yusuke Osumi, the vulnerability identified by Afrahim is already being exploited in the wild.
The researcher tweeted a list of more than 2,000 subdomains - generated automatically using Google App Engine’s domain generator - all of which led to a phishing landing page disguised as a Microsoft sign-in portal.
Google has not yet responded to our request for comment on what might be done to address the vulnerability.
- Here's our list of the best email hosting providers out there