Domain-Fronting Technique Enables Tunneling to Google Meet, YouTube, Chrome Update, and GCP

At this year’s Black Hat and DEF CON, researchers demonstrated how red teams could covertly tunnel traffic through popular collaboration platforms like Zoom and Microsoft Teams.

Building on that work, they have now taken domain fronting to a new level by targeting Google’s own cloud and service infrastructure.

By exploiting services such as Google Meet, YouTube, Chrome’s update servers, and various Google Cloud Platform (GCP) endpoints, attackers can disguise malicious traffic as legitimate API calls to highly trusted domains.

Given that most enterprises cannot block Google’s core services without disrupting day-to-day operations, this trust gap presents a powerful opportunity for stealthy command-and-control channels.

Exploiting App Engine and Cloud Run

The core of this new technique relies on mismatched Server Name Indication (SNI) and HTTP Host headers in HTTPS requests.

In a typical TLS handshake, the SNI indicates the public domain (for example, google.com), while the encrypted HTTP Host header specifies the actual backend destination—here, attacker-controlled infrastructure hosted within GCP.

In proof-of-concept tests, researchers deployed a simple Google Cloud Run function that returned a “Hello World!” response.

When the Host header was set to the Cloud Run URL while connecting to google.com, the request unexpectedly invoked the malicious function.

This same approach works against update.googleapis.com, meet.google.com, and payments.google.com, among other high-traffic domains.

Additionally, popular customer-facing apps built on App Engine, such as Snapchat’s API endpoint, were found to be vulnerable to the same redirection trick, enabling attackers to hide in plain sight among trusted, certificate-pinned traffic.

Implications for Red Teams and Defenders

Although domain fronting was largely curtailed by major providers between 2015 and 2024, this edge case within Google’s infrastructure resurrects the technique in a highly potent form.

For red teams, it offers a nearly undetectable channel to exfiltrate data or maintain persistent control over compromised hosts.

Attackers can further evade inspection by selecting domains that are pre-excluded from TLS inspection, such as Snapchat’s API, which is certificate-pinned and financial-service classified endpoints like payments.google.com.

On the defensive side, simply trusting traffic bound for big-name services is no longer sufficient.

Security teams must develop deep inspection capabilities that correlate SNI fields with HTTP Host headers and monitor unusual backend routing patterns, even for traffic that appears to be heading to legitimate Google services.

Building and Deploying a Redirector

To streamline adoption of this technique, the researchers have released an open-source Google Cloud Run redirector at praetorian-inc/google-redirector.

The tool integrates with existing HTTP-based implants and automates deployment within GCP, enabling red teams to quickly spin up domain-fronting infrastructure.

Detailed setup instructions are provided in the repository’s README, making deployment straightforward for those familiar with cloud command-and-control frameworks.

This new domain fronting attack demonstrates how even the most trusted Internet infrastructure can be co-opted for illicit purposes.

By routing malicious traffic through Google’s core services, adversaries gain a powerful cloaking mechanism that challenges traditional border-based security models.

Organizations must now balance the necessity of Google services with advanced inspection and anomaly detection to prevent attackers from hiding in plain sight

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates

The post Domain-Fronting Technique Enables Tunneling to Google Meet, YouTube, Chrome Update, and GCP appeared first on Cyber Security News.