Trusted by [your company]

← Back to varun.ch

Make sure you are logged into a Google Workspace account (such as a school or work provided Google account) to experience this post fully. Might not work on reasonable browsers that block third party cookies! (like Safari with "Prevent cross-site tracking" enabled)

This blog is trusted by...

Disclaimer: Not really.

I noticed that Google Workspace gives admins the ability to set a custom logo that appears in the header of some products, including Gmail and Google Drive.

Example from their website

The image is loaded from the URL https://www.google.com/u/0/ac/images/logo.gif?uid=[a large integer]&service=google_gsuite, and the value of uid appears to be ignored. This means that the logo.gif image can be loaded cross origin, and additionally the cookies on www.google.com also allow for cross origin images with authentication (so therefore, even when loaded on a non Google webpage, browsers will show the logo specific to your Google Workspace organization!).

Your company

(The 320x132 image probably doesn't look great when blown up this large.)

If your company does not have a logo set up, or you don't use Google Workspace, it will show "G Suite" as a default image. This is based on the service parameter. For example, here are the default logos for a few services:

?service=google_gsuite

?service=google_gsuite

?service=mail

?service=mail

?service=google_*

?service=google_search

?service=writely

?service=writely

?service=jotspot

?service=jotspot

Those images will display for users who are not signed into a Google Workspace account, or don't have a logo set up.

This trick has some limitations: Most notably, the image cannot be read through JavaScript directly (eg. by using a canvas). The cross origin image is only "visible" to visitors, which severely limits the impact. However, it is still possible to extract some information by relying on the user, similarly to my last experiment, "Retrieving your browsing history through a CAPTCHA".

After publishing that post on Hacker News, I was shared the post, "The Human Side Channel" by Ron Masas. It is a great collection of similar attacks.

This requires some very unlikely user interaction, but here is a demo game that leaks the visitor's organization (Requires JavaScript).

Are you a robot?

Name the brands from their logos

Press "DONE" when you finish.

In conclusion, this is a very low impact issue, but maybe something fun to consider when building a phishing page for a pentest or something similar.