Last Modified: Wed, 17 Jan 2018 04:27:51 +0000 ; Created: Mon, 27 Nov 2017 17:55:21 +0000
Found a low-risk phishing weakness with a Google domain (googleapis.com). Even though it is related to phishing and doesn't have an OWASP Top 10 vulnerability (i.e. XSS) I thought it worth reporting to Google to see if they might consider a technical measure to at least stop it.
fonts.googleapis.com could be considered a trusted domain by users. It is possible to add arbituary text input (no html) into the page as an error message to the user. Adding some emoji unicode characters causes the page to look more scary and legit to an unsuspecting victim. An example image of what the malicious page looks like on an Android mobile device: The URL I used was: https://fonts.googleapis.com/css?directory=3&family=view_html_source Disclosure Timeline
Vendor's Quoted ResponseWe've investigated your submission and made the decision not to track it as a security bug. It will also not be accepted as part of our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users' data are in scope, and unfortunately we feel the issue you mention does not meet that bar :( Reflecting text in a web application or an e-mail message is a known issue with too little practical impact, if the resulting text/HTML is sanitized and allows only for a limited formatting (e.g. XSS is not possible). Please read here for our rationale for this issue: https://sites.google.com/site/bughunteruniversity/nonvuln/limited-content-reflection-or-content-spoofing If you think we've misunderstood, please do let us know! Concluding thoughtsI stated in my initial report that I also thought it was a low-risk/severity issue. I did recommend: "Limit the url param echoed text on the page to only 10 characters or don't show it at all. (If needed for debug require a "Details..." button to show the content or even base64 encode it so only a developer who knows what base64 is will decode it outside of their web browser anyway.)" Because the domain may be more trusted it would have been nice to see the message text limited. I think it is really only meant for developers who are debugging anyway. It would at least reduce opportunity for phishing attacks, but it is Google's decision on what to prioritize. |
|