Google Logo Ligature Bug

Well, using ligature to display ‘Google’ with slanted ‘e’ would be just fine. But why in the heavens would someone make a completely different set of characters “googlelogoligature” draw as “Google”? That’s just stupid.

[-]jefftk2mo20

Presumably they wanted to be able to include both "Google" the the Google logo on the same pages, and a font that can do both is a reasonable way to do that.

Creating the font was reasonable, it was the choice to use it outside of their own web pages, and especially to apply it to user controlled text, that was a bag call.

[-]Samuel Hapák2mo62

I don’t see this as anyhow reasonable still. This eg will break all the screen readers as well. If you really want to do this, use specialized font and a single unprintable Unicode character instead. Like font awesome does.

[-]Garrett Baker2mo40

Reading out “google logo ligature” in a font reader seems more informative than skipping the logo entirely, which is what an unprintable unicode character would do.

[-]Samuel Hapák2mo10

I agree. I was not precise in my statement—what I wanted to say was that if for some reason they are trying to use it in place of picture, as a decoration (which I can’t really see why), then this would be the approach. Still, I think using ligature for the word Google is the right approach.

[-]Matt2mo10

Realistically wouldn't that mean having two versions of the font, one with the ligature and one without? Perhaps they do have two versions and some developer just used the wrong one at some point. Seems like it would be an easy mistake to make.

Moderation Log

Curated and popular this week

7Comments

49 Google Logo Ligature Bug

by jefftk

18th May 2025

jefftk

1 min read

49

Practical

Personal Blog

49

Google Logo Ligature Bug

New Comment

7 comments, sorted by

top scoring

Click to highlight new comments since: Today at 9:27 PM

[-]Viliam2mo50

One person's "cool feature" is another person's "security vulnerability".

[-]Samuel Hapák2mo10

[-]jefftk2mo20

Presumably they wanted to be able to include both "Google" the the Google logo on the same pages, and a font that can do both is a reasonable way to do that.

Creating the font was reasonable, it was the choice to use it outside of their own web pages, and especially to apply it to user controlled text, that was a bag call.

[-]Samuel Hapák2mo62

[-]Garrett Baker2mo40

Reading out “google logo ligature” in a font reader seems more informative than skipping the logo entirely, which is what an unprintable unicode character would do.

[-]Samuel Hapák2mo10

[-]Matt2mo10

Moderation Log

Curated and popular this week

7Comments

Jeffrey Yasskin recently pointed out an interesting security bug:

The idea is, if you had registered googlelogoligature.net then Chrome on Android (and possibly other Google products) would have displayed it as Google.net, potentially tricking users into thinking they were really interacting with Google.

To see how this worked, you can try searching Google for ["googlelogoligature"], and you'll see it shows up as "Google":

Poking in devtools, this is dependent on the specific font they're using, "Google Sans". If I turn that off my "googlelogoligature" shows just as I typed it:

Fonts can include "ligatures", which let font designers special-case specific combinations of letters. These were intended to support things like "f" followed by "i" blending into "fi" nicely, but the feature has been (ab)used for many other things, including complex emoji. In this case, Google Sans has a specific way of drawing "googlelogoligature" that looks like a mildly stylized "Google".

Using a ligature to get the Google logo into text-only interfaces is a reasonable product decision, but it shouldn't have been added to a general-purpose font. And especially shouldn't have been added to a font used for rendering attacker-controlled text in security-sensitive contexts.

(When I first saw it I thought this might be an example of a unicode-driven vulnerability, but sadly not.)

Comment via: facebook, mastodon, bluesky