[Security] Domain verification could be easily bypassed

[smaury]

Summary

While giving a quick look to the code I noticed that the hostMatches function used to verify if a given host is in the config.enterprise_domains array is weak and could be easily bypassed.

Description

While visiting a website the extension reads the current hostname and calls the getDomainType function in order to understand if, among the others, a green badge should be displayed or not, indicating that the website is a corporate one and should be trusted.

The getDomainType calls under the hood the hostMatches: https://github.com/palantir/phishcatch/blob/07b0b359d7a662c69d10b7f9364433c07cb4ec17/extension/src/lib/getDomainType.ts#L34-L47

It basically loops over all the domains stored in config.enterprise_domains and:

• If the stored domain matches the visited one it returns true.
• If the stored domain is a wildcard one (i.e. *.google.com) it checks that the visited one ends with the wildcard domain without the *..

This approach is very weak because it would mark as an enterprise domain any domain ending with (in my example) google.com (i.e. nomoregoogle.com). It should be also pointed out that using fake domains ending with the legit one is a very common phishing technique.

PoC

1. Install the Phishcatch extension
2. Set as enterprise_domains: ["*.google.com"]
3. Visit https://nomoregoogle.com
4. Notice that the green badge on the Phishcatch extension appears

Addendum

While writing this issue I also realized that as enterprise_domains are threated as RegExp then the . character is evaluated as a wildcard. This means that if the enterprise_domains contains ["*.nomor.google.com"] then nomoregoogle.com would be matched as an enterprise domain.

[carbureted]

Good find. Will have this fixed later today.

[smaury]

The fix looks good on my side.