Google Has Allowed Users To Bypass Phishing Filters By Accident

Gmail AH NS 03

A newly introduced Google tool makes circumventing phishing filters all too easy. As reported by Tech Radar, Google App Engine can now be abused to get around phishing filters and security controls.

Google has long had issues with phishing scams and scandals over the years. Back in 2019, a Google Translate tool was used to trick users into a phishing scam. Prior to this, however, it looked like Google had a handle on the issue as it staff demonstrated it could use security keys as a method of defense.

A researcher has now discovered this new quirk in the way Google App Engine handles subdomains. This means that scammers can easily conduct phishing campaigns undetected.


Google accidentally makes bypassing phishing filters all too easy

In normal scenarios, individuals can use Google App Engine to develop and host web applications. However, the cloud-based platform can then allow individuals to bypass security controls. This, in turn, allows them to funnel victims to malicious landing pages.

This appears to be an accidental issue with the way that Google App Engine generates subdomains and routes visitors.

Individuals can hide their malicious activity through this flaw. By setting up a whole load of invalid subdomains which all automatically redirect to one central malicious application making it difficult to track the activity.


This basically means malicious individuals have an easy way to get around phishing security controls. It, therefore, provides them with a simple way to conceal their activities.

Sheer volume makes it difficult or security individuals

Generally, security individuals protect from most phishing scams. This shields normal people from potentially malicious content by identifying and blocking requests to and from dangerous subdomains.

However, this becomes much more challenging because of the way Google App Engine generates subdomain URLs. Each subdomain comes with a marker that indicates the app version, service name, project ID and region ID.


The problem comes when these subdomains are invalid. So long as the project ID is correct the subdomain will redirect to a default page.

This is more commonly known as 'soft routing' which allows scammers to create vast pools of invalid subdomains. The reason it becomes so difficult for security individuals is the sheer volume of invalid subdomains that these individuals can create.

According to researchers, malicious individuals have already started to exploit this vulnerability. This accompanied a list of over 2000 subdomains which led phishing landing page disguised as a Microsoft sign-in portal.


Google is yet to respond to this issue. However, they will have to act fast in order to try and salvage what is a potentially very dangerous situation.