‘Google App Engine’ Abused to Create Unlimited Phishing Pages

Google’s cloud-based service platform for developing and hosting web apps “can be abused to deliver phishing and malware while remaining undetected by leading enterprise security products,” reports Bleeping Computer, citing a startling discovery by security researcher Marcel Afrahim:

A Google App Engine subdomain does not only represent an app, it represents an app’s version, the service name, project ID, and region ID fields. But the most important point to note here is, if any of those fields are incorrect, Google App Engine won’t show a 404 Not Found page, but instead show the app’s “default” page (a concept referred to as soft routing)…

Essentially, this means there are a lot of permutations of subdomains to get to the attacker’s malicious app. As long as every subdomain has a valid “project_ID” field, invalid variations of other fields can be used at the attacker’s discretion to generate a long list of subdomains, which


Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/XWNb_udkv0g/google-app-engine-abused-to-create-unlimited-phishing-pages

Original article

Comments are closed.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: