Trusted by [your company]

Make sure you are logged into a Google Workspace account (such as a school or work provided Google account) to experience this post fully. Might not work on reasonable browsers that block third party cookies! (like Safari with ā€œPrevent cross-site trackingā€ enabled)

This blog is trusted byā€¦

I noticed that Google Workspace gives admins the ability to set a custom logo that appears in the header of some products, including Gmail and Google Drive.

Example from their website

The image is loaded from the URL https://www.google.com/u/0/ac/images/logo.gif?uid=[a large integer]&service=google_gsuite, and the value of uid appears to be ignored. This means that the logo.gif image can be loaded cross origin, and additionally the cookies on www.google.com also allow for cross origin images with authentication (so therefore, even when loaded on a non Google webpage, browsers will show the logo specific to your Google Workspace organization!).

(The 320x132 image probably doesnā€™t look great when blown up this large.)

If your company does not have a logo set up, or you donā€™t use Google Workspace, it will show ā€œG Suiteā€ as a default image. This is based on the service parameter. For example, here are the default logos for a few services:

?service=google_gsuite

service=google_gsuite

?service=mail

service=mail

?service=google_*

service=google_search

?service=writely

service=writely

?service=jotspot

service=jotspot

Those images will display for users who are not signed into a Google Workspace account, or donā€™t have a logo set up.

This trick has some limitations: Most notably, the image cannot be read through JavaScript directly (eg. by using a canvas). The cross origin image is only ā€œvisibleā€ to visitors, which severely limits the impact. However, it is still possible to extract some information by relying on the user, similarly to my last experiment, ā€œRetrieving your browsing history through a CAPTCHAā€.

After publishing that post on Hacker News, I was shared the post, ā€œThe Human Side Channelā€ by Ron Masas. It is a great collection of similar attacks.

This requires some very unlikely user interaction, but here is a demo game that leaks the visitorā€™s organization (Requires JavaScript).

Are you a robot?

Name the brands from their logos

Press "DONE" when you finish.

In conclusion, this is a very low impact issue, but maybe something fun to consider when building a phishing page for a pentest or something similar.