Google Logo Ligature Bug

May 17th, 2025
tech, unicode
Jeffrey Yasskin recently pointed out an interesting security bug:

The idea is, if you had registered googlelogoligature.net then Chrome on Android (and possibly other Google products) would have displayed it as Google.net, potentially tricking users into thinking they were really interacting with Google.

To see how this worked, you can try searching Google for ["googlelogoligature"], and you'll see it shows up as "Google":

Poking in devtools, this is dependent on the specific font they're using, "Google Sans". If I turn that off my "googlelogoligature" shows just as I typed it:

Fonts can include "ligatures", which let font designers special-case specific combinations of letters. These were intended to support things like "f" followed by "i" blending into "fi" nicely, but the feature has been (ab)used for many other things, including complex emoji. In this case, Google Sans has a specific way of drawing "googlelogoligature" that looks like a mildly stylized "Google".

Using a ligature to get the Google logo into text-only interfaces is a reasonable product decision, but it shouldn't have been added to a general-purpose font. And especially shouldn't have been added to a font used for rendering attacker-controlled text in security-sensitive contexts.

(When I first saw it I thought this might be an example of a unicode-driven vulnerability, but sadly not.)

Comment via: facebook, lesswrong, hacker news, mastodon, bluesky, substack

Recent posts on blogs I like:

Tuberculosis Considered As Dating Strategy

Against some evopsych

via Thing of Things July 8, 2025

Retrospective on life tracking and effectiveness systems

I’ve been doing life tracking for around 10 years, and this post is looking back at some things I learned from the data (since my previous retrospective in 2017). Highlights include what I get out of the Oura ring, correlations between sleep and deep work…

via Victoria Krakovna July 4, 2025

Elixir's Last Dance

On May 18th, the contra dance band Elixir had their last gig ever. The dance was packed: there were three hundred people. It was the only dance BIDA has ever done where they sold tickets. People flew from across the country just to hear Elixir play one la…

via Lily Wise's Blog Posts June 5, 2025

more     (via openring)