While giving a quick look to the code I noticed that the hostMatches function used to verify if a given host is in the config.enterprise_domains array is weak and could be easily bypassed.
Description
While visiting a website the extension reads the current hostname and calls the getDomainType function in order to understand if, among the others, a green badge should be displayed or not, indicating that the website is a corporate one and should be trusted.
It basically loops over all the domains stored in config.enterprise_domains and:
If the stored domain matches the visited one it returns true.
If the stored domain is a wildcard one (i.e. *.google.com) it checks that the visited one ends with the wildcard domain without the *..
This approach is very weak because it would mark as an enterprise domain any domain ending with (in my example) google.com (i.e. nomoregoogle.com).
It should be also pointed out that using fake domains ending with the legit one is a very common phishing technique.
Notice that the green badge on the Phishcatch extension appears
Addendum
While writing this issue I also realized that as enterprise_domains are threated as RegExp then the . character is evaluated as a wildcard. This means that if the enterprise_domains contains ["*.nomor.google.com"] then nomoregoogle.com would be matched as an enterprise domain.
Summary
While giving a quick look to the code I noticed that the
hostMatches
function used to verify if a given host is in theconfig.enterprise_domains
array is weak and could be easily bypassed.Description
While visiting a website the extension reads the current hostname and calls the
getDomainType
function in order to understand if, among the others, a green badge should be displayed or not, indicating that the website is a corporate one and should be trusted.The
getDomainType
calls under the hood thehostMatches
: https://github.com/palantir/phishcatch/blob/07b0b359d7a662c69d10b7f9364433c07cb4ec17/extension/src/lib/getDomainType.ts#L34-L47It basically loops over all the domains stored in
config.enterprise_domains
and:*.google.com
) it checks that the visited one ends with the wildcard domain without the*.
.This approach is very weak because it would mark as an enterprise domain any domain ending with (in my example)
google.com
(i.e.nomoregoogle.com
). It should be also pointed out that using fake domains ending with the legit one is a very common phishing technique.PoC
enterprise_domains
:["*.google.com"]
Addendum
While writing this issue I also realized that as
enterprise_domains
are threated asRegExp
then the.
character is evaluated as a wildcard. This means that if theenterprise_domains
contains["*.nomor.google.com"]
thennomoregoogle.com
would be matched as an enterprise domain.