Hacker Google Docs to surface a phishing scam in an attack against at least 1 million Gmail users.
Not to mention, Google last year number of active monthly Gmail users increases at more than 1 billion.
Google shut down the phishing scam within an hour, it said, through both automatic and manual actions. Google remove all the fake pages and applications, and gave updates through Gmail and other anti-abuse systems.
Users did not take any action on their own in response to the attack. But, one can review third-party apps which they connect to their account do so at its Security Checkup site.
Anti-Phishing Security Checks
Coincidentally, Google introduces a new anti-phishing security feature to Gmail on Android. The new tool delivers a warning when a user clicks on a suspicious link in an email message. It also alerts them that the site they’re trying to visit is a forgery. Users can back away or continue to the site at their own risk. Thus, it helps to decrease phishing scam drastically,
Google is gradually rolling out the new feature to all G Suite users.
How the Docs Attack Went Down
People got an email from someone they knew inviting them to click on a link to collaborate on a Google Doc.
Clicking on the “Open in Docs” link takes them to a Google OAuth 2.0 page to authorize the Google Docs application, which was a fake.
The application states that Google Docs would like to read, send, delete and manage the recipient’s email and manage their contacts . These requests are common to several applications that use Google as an authentication mechanism.
Once it gets permission, the attacker gain access to the victim’s address book, which allow the attack to go viral swiftly.
The OAuth Vulnerability
The OAuth attack , “a ubiquitous industry standard protocol [that provides] a secure way for Web applications and services to connect. They don’t require users to share their account credentials with those applications,” said Ayse Firat, director of analytics and customer insights at Cisco Cloudlock.
“Because most of the programmer use it so universally in almost all Web-based applications and platforms — including consumer as well as enterprise applications such as Google Apps, Office 365, Salesforce, LinkedIn and many others. Also, it provides a broad attack surface,” she told TechNewsWorld.
OAuth 2.0 is highly sensitive to phishing because every website using it asks end users for the username and password of their master identity. There are more than 275,000 OAuth apps which connects to core cloud services.
OAuth-based attacks bypass all standard security layers, including next-generation firewalls, secure Web gateways, single sign-ons, multifactor authentication and more.
The Ramifications of Using OAuth
With software vendors increasingly putting their applications in the cloud, how great a risk do OAuth’s vulnerabilities pose?
“Most cloud services are pretty secure, and OAuth-based attacks likely will not be successful. If services depending on the protocol are otherwise secure,” said Michael Jude, a program manager at Stratecast/Frost & Sullivan.
OAuth authentication “is bigger than just online apps,” he suggested. “It’s also a basic establishment protocol. It could become important in social media efforts to become more akin to common carriage operations for communications.”
OAuth “has to be done right, or there’s no future for social media-mediated communication services,” Jude warned.
Protecting Against OAuth-Based Attacks
Organizations need to develop a high-level strategy as well as a specific application use policy. Because, it helps to decide how they will whitelist or ban applications, and share this vision.
Individual users should go into their Google account security settings and revoke permissions to applications they don’t know. They also “should never grant permissions to applications that request excessive access.”
They are launching an effort to incorporate stricter security requirements into OAuth. Frost’s Jude said, “but I haven’t heard of any particular availability.”