Security News > 2021 > February > Hackers abuse Google Apps Script to steal credit cards, bypass CSP
Attackers are abusing Google's Apps Script business application development platform to steal credit card information submitted by customers of e-commerce websites while shopping online.
They take advantage of the fact that online stores would consider Google's Apps Script domain as trusted and potentially whitelisting all Google subdomains in their sites' CSP configuration.
Google Apps Script domain used as exfiltration endpoint.
All the payment info stolen from the compromised online shop was sent as base64 encoded JSON data to a Google Apps Script custom app, using script[.
After reaching the Google Apps Script endpoint, the data was forwarded to another server - Israel-based site analit[.
Other Google services were also abused in Magecart attacks, with the Google Analytics platform being used by attackers to steal payment info from several dozen online stores.
News URL
Related news
- Critical flaw in Next.js lets hackers bypass authorization (source)
- Google fixes exploited Chrome sandbox bypass zero-day (CVE-2025-2783) (source)
- Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication (source)
- North Korean Hackers Disguised as IT Workers Targeting UK, European Companies, Google Finds (source)
- Google’s Sec-Gemini v1 Takes on Hackers & Outperforms Rivals by 11% (source)
- Hackers exploit WordPress plugin auth bypass hours after disclosure (source)