Trust in Google Helps Hackers get past security. Hackers have found a new tool in their never-ending quest to cause trouble. They’ve begun abusing the Apps Script Business Application developed by Google in a bid to steal credit cards and personally identifiable information. That’s significant because, given Google’s dominant position on the internet, the users trust the Apps Script Business Application.
That fact Trust in Google Helps Hackers to mask their illicit activities and take advantage of vendors’ whitelist of Google’s subdomains by default. Google plays a critical role in today’s internet, and most business owners rely heavily on a wide range of Google’s tools and services.
We owe the discovery of this latest tactic to Sansec security researcher Eric Brandel.
Brandel had this to say about the recent discovery with App Script:
“This new threat shows that merely protecting web stores from talking to untrusted domains is not sufficient. E-commerce managers need to ensure that attackers cannot inject unauthorized code in the first place. Server-side malware and vulnerability monitoring are essential in any modern security policy.
…when a skimming campaign runs entirely on trusted Google servers, very few security systems will flag it as ‘suspicious.’ And more importantly, popular countermeasures like Content-Security-Policy (CSP) will not work when a site administrator trusts Google.
CSP limits the execution of untrusted code. But since pretty much everybody trusts Google, the model is flawed.”
And that’s the crux of the problem with trust in Google helps Hackers. Fortunately, if Google’s past performance is any indication, they’ll move swiftly to make their systems even more secure, thus limiting the threat. Until that happens, though, it pays to be mindful of the fact that it exists and plan accordingly.