A new type of phishing attack has recently spread across Google Docs, a tool that allows you to create and edit documents online for free. As with many other similar attacks, the threat arrived via email to many users and requested that they allow access to a shared document using that same tool in order to edit it. Once permissions were granted users would be redirected to a new app which looked exactly like Google Docs, simultaneously granting the attacker access to your emails and possibly other associated services. The attack was quite elaborate and practically undetectable, but fortunately Google acted pretty quickly and the menace was extinguished in no time. This wasn’t enough, however, since the short time it was active was enough to infect 0.1% of Gmail users, which considering Google’s 1 billion customers is roughly the same as saying 1 million people had been affected.
What made this scheme so dangerous was the fact that it was practically undetectable. In fact, Gmail phishing detection standards were not able to stop it since unlike regular phishing attacks – where users are required to type in their passwords – this one was carried out via an Open Authorization (OAuth) exploit. OAuth is a protocol that enables a third-party application to obtain limited access to a HTTP service. In other words this is how different apps communicate between each other, based on your accounts’ range of permissions. Having said that, in this Google Docs attack the perpetrator basically asked for victims’ permission to access their emails, instead of leading them through a path of sketchy password-requirement websites.
Moreover, the fact that a great number of apps rely on this authorization protocol (over 275,000 to be more precise) adds yet another layer of concern to any future similar attacks.
Since this phishing attack exploits OAuth, the first measure you can take for extra security is to review your apps’ permission and manage them suitably. But then again, the large number of apps available using OAuth can become quite difficult to manage, as you’ll probably spend the rest of your life searching for their respective permission management pages. Yet while that’s quite easy with Google since it is one of the biggest companies on Earth, it is quite tricky with smaller companies since your account’s details and permissions are often hidden somewhere in a dark corner of the web.
Given this, make sure you pay attention to which permissions you allow either when installing an app or creating an account and always have a proper antivirus or security suite along with you.
Share your thoughts, ask questions, and connect with other users. Your feedback helps our community make better decisions.
©2012-2025 Best Reviews, a clovio brand –
All rights
reserved
