🔓 Google Sans Ligature Spoofing

About This Vulnerability

CVE Status: Partially fixed (CL 7536052)

Fix Coverage: ~23% (permission prompts only)

Unfixed Surfaces: 27+ UI surfaces remain vulnerable

Severity: CRITICAL (S2) - Credential theft, financial fraud, identity theft

What's the issue?

The Google Sans font contains special ligatures that render strings like "googlelogoligature" as the Google logo. When these strings appear in domain names, Chrome displays them as the logo in various UI surfaces, allowing attackers to spoof Google's origin.

What was fixed?

CL 7536052 disabled ligatures in permission prompts (camera, microphone, location, etc.) on Android.

What remains vulnerable?

The 7 critical surfaces demonstrated in this PoC suite, plus 20+ other surfaces.

Testing Instructions

1. Ensure DNS is configured to point googlelogoligature.com to this server
2. Accept HTTPS certificate warning (if using self-signed cert)
3. Click on any PoC card above to test that surface
4. Follow the on-page instructions for each PoC
5. Take screenshots of the spoofed origin display
6. Check browser console for detailed logging
7. Review captured data in the yellow boxes on each page

What to look for:

• Does the UI display [Google Logo].com instead of googlelogoligature.com?
• Does the ligature render as the actual Google logo?
• Would a typical user be fooled by this display?

Reporting

After testing, report findings to:

• Chromium Bug Tracker: bugs.chromium.org
• Reference: Original issue and CL 7536052
• Severity: S2 (High severity)
• Include: Screenshots, Chrome version, Android version, reproduction steps