The Google Docs phishing attack spread quickly across social media last week before it was stopped, and now Google is tightening its processes to prevent a repeat.
In a post Monday, Google said it will revamp its OAuth system and update its general spam and security monitoring to prevent a similar attack in the future. Google said it’s had previous protections in place for email-based phishing, including in-app Gmail warnings for suspicious emails and spam detection.
“Upon detecting this issue, we immediately responded with a combination of automatic and manual actions that ended this campaign within an hour,” Google said. “We removed fake pages and applications, and pushed user-protection updates through Safe Browsing, Gmail, Google Cloud Platform, and other counter-abuse systems. Fewer than 0.1 percent of our users were affected by this attack, and we have taken steps to resecure affected accounts.”
The Google Docs phishing scam worked by sending a fake Google Docs email to users from accounts that they’ve previously contacted or would know. In the email, users would be directed to a real OAuth prompt that would direct them to a fake Google Docs app. Once their credentials were authorized, the app would pull from a user’s contacts and spread the initial email to more users. According to Google, less than 0.1 percent of Gmail users were affected by the exploit.
OAuth refers to Open Authorization, an open standard that lets users authorize third-party websites or applications to utilize their account information without requiring a password. It’s commonly used when applications or games direct you to an external webpage to connect it to an account from a service like Google or Facebook.
While Google’s patch for the Google Docs phishing attack looks to prevent a repeat event, it also wasn’t the first time Google had heard of the exploit. Researcher Andre DeMarre posted about a similar exploit on a mailing list and reported it to Google in 2012, Motherboard reported.
As DeMarre wrote in his initial post in 2011, a malicious third-party could easily rename the app to impersonate a reputable source, just as the Google phishing email came from a fake Google Docs app.
"Imagine someone registers a client application with an OAuth service, let's call it Foobar, and he names his client app 'Google Inc.' The Foobar authorization server will engage the user with: 'Google Inc. is requesting permission to do the following.' The resource owner might reason, 'I see that I'm legitimately on the https://www.foobar.com site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow.'
"To make the masquerade act even more convincing, many of the most popular OAuth services allow app developers to upload images, which could be official logos of the organizations they are posing as. Often app developers can supply arbitrary, unconfirmed URIs, which are shown to the resource owner as the app's website even if the domain does not match the redirect URI. Some OAuth services blindly entrust client apps to customize the authorization page in other ways."
Google recommends users take precautions like using the Google Security Checkup and reporting suspicious emails to Google via Gmail. Enterprise users should also use security measures like enabling two-factor authentication and running OAuth token audits to find problematic scope grants.