Sure Google-owned domains have induced Chrome customers, from even probably the most expert researchers to common customers, to query whether or not they’re malicious.
The domains I’m referring to are redirector.gvt1.com and gvt1/gvt2 subdomains which have spun many questions on the web.
After receiving a number of involved questions over time, BleepingComputer has dug deeper into the domains’ origin and whether or not they need to be one thing to fret about.
What are these suspicious gvt1.com domains?
The domains *.gvt1.com and *.gvt2.com, together with their subdomains, are owned by Google and sometimes used to ship Chrome software program updates, extensions, and associated content material.
For instance, once we began Chrome simply now, it tried to hook up with the next domains:
Nevertheless, these URLs and the area title has repeatedly induced confusion amongst builders and researchers as a consequence of their suspicious-looking construction:
Furthermore, the redirector.gvt1.com hyperlinks redirect to an URL that accommodates the consumer’s IP handle, amongst different elusive parameters which can trigger additional suspicion.
For instance, BleepingComputer traced the next hyperlink, which redirects twice to a lot bigger URLs with an arbitrary subdomain and intensive GET parameters, such because the consumer’s IP handle:
Ought to we be involved about gvt1.com URLs?
That is the place it will get difficult, however the reply is: no, however Google may safe them higher.
The GVT within the gvt1.com area stands for Google Video Transcoding, and is used as a cache server for content material and downloads utilized by Google providers and functions.
“redirector.gvt1.com is a redirection service utilized by Google for quite a lot of functions, together with obtain of updates, and so forth.,” Eric Lawrence, a former member of the Chrome Safety Group, stated in a Google bug submit.
Going again to the hyperlink analyzed within the earlier part for example, we will see the URL ending in .crx represents a Chrome extension :
BleepingComputer traced the extension to be the Chrome Media Router extension, a legacy part that was utilized by Chromecast.
What’s regarding, is that Google continues to make use of the insecure HTTP protocol fairly than HTTPS when connecting to those URLs.
By connecting to the URLs through HTTP, it might be doable to make use of man-in-the-middle (MiTM) assaults to switch the downloads in some method. When you have malware put in that’s intercepting HTTP visitors, you might have extra to fret about at this level.
In conclusion, when seeing visitors regarding *.gvt1.com or *.gvt2.com domains in your company community, it’s not a trigger for alarm however merely a authentic Chromium obtain happening.
Nevertheless, Google ought to swap to utilizing HTTPS to forestall potential MiTM assaults, and directors ought to proceed to observe finest practices comparable to analyzing visitors from the URLs.
BleepingComputer reached out to Google a number of instances nicely prematurely, however we have now not heard again earlier than press time.