[sophiebits]

You’re likely severely underestimating the amount of internal paperwork and review that is required to launch a new google.com subdomain.

[drpossum]

I did one on my local network and didn't fill out anything

[block_dagger]

But only you have access to your local network.

[drpossum]

Good thing all networks everyone connects to are always known by that user to be secure

[bqmjjx0kac]

Do these APIs not require https?

[drpossum]

The case here was just injecting a domain. There's another thread for this post pointing out you would also need to inject a malicious root cert for https traffic, which is correct, but not impossible (and given some bad/lazy practices I've seen places do when they sign their own certs for internal infrastructure, not a far stretch)

[jonas21]

If they can do that, they can spoof or proxy any website and collect your passwords, auth cookies, and anything else sent over the network. At that point, who cares if they can also see how much CPU you're using?

[therein]

That's not necessarily true.

[pharrington]

is your local network google.com ?

[shreddit]

I can tell my pc what ca to trust, so yes i can make it to…

[mimon]

So if you can just trick someone into trusting a bogus root CA, take control of their DNS resolution, and get them to open an attacker controlled domain in Chrome then you can... Use this API to get information about their current CPU utilisation.

Wow some attack you got there.

[isodev]

Maybe they don't need a new subdomain, something unused could do the trick.

[riccardomc]

Probably a 'something.google.com'...

But you could have teams with DNS zone delegation who can.create.anything.like.this.google.com