An Interest In:
Web News this Week
- March 30, 2024
- March 29, 2024
- March 28, 2024
- March 27, 2024
- March 26, 2024
- March 25, 2024
- March 24, 2024
Some of Our Sources
- Web Designer Wall
- Just Creative
- The Logo Smith
- Smashing Apps
- Naldz Graphics
- My Ink Blog
- Design Modo
- Willems Lab
- Hashedout
- The Verge
Help Webnuz
Referal links:
September 27, 2020 02:34 pm
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/XWNb_udkv0g/google-app-engine-abused-to-create-unlimited-phishing-pages
'Google App Engine' Abused to Create Unlimited Phishing Pages
Google's cloud-based service platform for developing and hosting web apps "can be abused to deliver phishing and malware while remaining undetected by leading enterprise security products," reports Bleeping Computer, citing a startling discovery by security researcher Marcel Afrahim:A Google App Engine subdomain does not only represent an app, it represents an app's version, the service name, project ID, and region ID fields. But the most important point to note here is, if any of those fields are incorrect, Google App Engine won't show a 404 Not Found page, but instead show the app's "default" page (a concept referred to as soft routing)... Essentially, this means there are a lot of permutations of subdomains to get to the attacker's malicious app. As long as every subdomain has a valid "project_ID" field, invalid variations of other fields can be used at the attacker's discretion to generate a long list of subdomains, which all lead to the same app... The fact that a single malicious app is now represented by multiple permutations of its subdomains makes it hard for sysadmins and security professionals to block malicious activity. But further, to a technologically unsavvy user, all of these subdomains would appear to be a "secure site." After all, the appspot.com domain and all its subdomains come with the seal of "Google Trust Services" in their SSL certificates. Even further, most enterprise security solutions such as Symantec WebPulse web filter automatically allow traffic to trusted category sites. And Google's appspot.com domain, due to its reputation and legitimate corporate use cases, earns an "Office/Business Applications" tag, skipping the scrutiny of web proxies.Read more of this story at Slashdot.
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/XWNb_udkv0g/google-app-engine-abused-to-create-unlimited-phishing-pages
Share this article:
Tweet
View Full Article
Slashdot
Slashdot was originally created in September of 1997 by Rob "CmdrTaco" Malda. Today it is owned by Geeknet, Inc..More About this Source Visit Slashdot