Recent research by Arizona State University academics supported by PayPal revealed that Google Chrome, Firefox, and Safari failed to show phishing warnings to their users from mid-2017 until late 2018. Even Google’s Safe Search browsing technology failed to warn users about phishing warnings. The researchers reported that the issue was finally resolved by the end of 2018.
In early 2017, an academic research project that went by the name of ‘PhishFarm’ was dedicated to creating and deploying thousands of phishing pages to test how fast their phishing URLS landed in the URL blacklists. While research of this kind was common, the researchers employed “cloaking techniques” that essentially tricked the URL blacklisting technology. The researchers created fake PayPal login pages to run their tests.
They deployed these fake PayPal pages by applying cloaking techniques and recorded if browsers identified them as dangerous sites and blacklisted them or not. These tests revealed that the world’s most popular browsers Chrome, Safari, and Firefox weren’t effective in blacklisting such phishing sites.
“We found that simple cloaking techniques representative of real-world attacks – including those based on geolocation, device type, or JavaScript – were effective in reducing the likelihood of blacklisting by over 55% on average,” researchers said.
Though the results of the tests varied on several URL blacklists and the kind of cloaking technique employed, it was however commonly observed that mobile browsers using Google Safe Search could not blacklist URLs that employed A, E and F cloaking techniques.
After the initial tests, the researchers waited for over a year and tested in mid-2018 and saw the same results again. This is when the researchers realized that Google’s Safe Browsing wasn’t working in an intended way.
“Following our disclosure, we learned that the inconsistency in mobile GSB blacklisting was due to the transition to a new mobile API designed to optimize data usage, which ultimately did not function as intended,” said the researchers about the issue.
They reached out to Google about the same and it was reported that the issue was finally resolved by the end of 2018.