Attacks facilitating phishing or social engineering

A significant number of incoming vulnerability reports fall into a specific category: issues with the sole purpose of facilitating social engineering attacks against Google users. For example:

  • An open redirect can send victims to a phishing page, abusing their trust in a Google domain.
  • Visiting a Google URL can trigger a file download, where the attacker controls the file contents. Victims might download and open a file that executes code on their devices.
  • Attacker-controlled text can be displayed on a Google-owned website, enticing users to visit a phishing website.
  • A Google application can be linked to an external URL that, when opened, replaces the original Google page (e.g., tabnabbing).
  • An attacker can send emails to Google users and control parts of the email messages, starting a phishing campaign.
  • Some emails sent from spoofed addresses are not detected as spam by Gmail.

Although we agree that issues like these have an impact on security, we've decided that Google's Vulnerability Reward Program should focus on technical problems that endanger our users' data (like XSS and Authorization issues), while these subtler and harder-to-solve issues are addressed in other ways.

We might reconsider this approach in the future, but for now, without the data and metrics to measure the efficacy of these changes, we have to depend on our intuition and experience. And our instincts tell us that for average users, the changes aren't worth the cost. For example, we think that even if there were no open redirects, a similar percentage of users could still be successfully phished from deceptive domain names — so fixing individual open redirects is simply ineffective for addressing phishing in general. If you have research data that shows otherwise, please let us know. For now, we think Security Keys, Safe Browsing, and Password Alert are better positioned to help protect our users.

To sum up: Social engineering attacks very rarely meet the bar for reward or credit. For those few that are accepted by the panel, attack scenarios need to be really clear and convincing. In most cases, this involves chaining a few vulnerabilities into an attack that you yourself would fall for.

We hope this clarification won't discourage you from submitting bug reports — we look forward to seeing what you find!