Mark Maunder – Wordfence Founder/CEO – @mmaunder
Update: Official Statement from Google
This is an update at 11:30pm PST on Tuesday the 17th of January 2017. I was contacted by Aaron Stein from Google Communications. He has provided the following official statement from Google:
“We’re aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”
I asked Aaron two follow-up questions:
“Chrome 56 will include the text “Not secure” in the location bar on non-SSL websites where a page contains a password field or credit card input field. This is a fine example of a visual indication in the location bar that helps secure users. Are the Chrome dev team considering some visual indication in the browser location bar for data URI’s? That would help defeat this attack because, currently, there is no visual indication of anything awry when viewing a phishing data URI. It’s worth noting that the safe browsing system is currently unable to detect malicious data URI’s because it is currently geared for traditional hostname-path URL’s.
Second question: Emails that contain malicious data URI’s are the attack vector in this case. Are the GMail team considering any additional filtering or alerting related to data URI’s as attachments in the GMail web application?
I think any guidance you can provide on the above two questions will go a long way to put Chrome and GMail user’s minds at ease.”
He responded with:
“I can’t speak to things that aren’t out yet, but *please* watch this space. Should have more to share soon”
My thoughts on this response:
I think this is a perfectly acceptable response from Google. To be clear, there are several teams within the Google organization that this affects:
The Google Chrome browser team will be the ones who would implement any change in the location bar behavior when viewing a phishing data URI. The GMail team would implement filtering and alerting within the GMail application with a data URI attachment is received with other associated phishing markers. The Google Safe Browsing team may add support for malicious data URI’s in the GSB API and make that available to the Chrome browser team.
There may be other parts of the Google organization that touches including operations.
Asking Aaron to provide early guidance on how Google will mitigate this when it affects so many teams was a big ask, but I would be remiss if I didn’t hit him with a couple of follow-up questions. The good news is that Google is aware of the issue and we have an official statement that indicates there will be something forthcoming in future releases of Chrome, GMail and possibly other products that can help mitigate this.