A new type of spear phishing attack hit Google Docs users early Wednesday, resulting in stolen contact lists and Gmail inbox access for the affected users.
The attack took advantage of a user-interface flaw in Google’s OAuth page, the interstitial webpage that asks users to give permission to a third-party app in order to access their Gmail.
More Sophisticated Phishing Attack
Here’s how it worked: A potential victim would receive an email with a link to a Google Doc from a person they trusted. The email was an exact copy of the standard Google Docs invitation email, which other phishers have simulated before.
However, where this new attack differs was that once the user clicked the link, they would be redirected to a real Google OAuth page, asking them to give the “Google Docs” app access to their Gmail account. The authentication page was real, but the app that was asking for permission wasn’t really Google Docs, it was a phishing app that had named itself “Google Docs” and copied the official logo.
The only way a savvy user could tell that this wasn’t the real Google Docs was by clicking on the app name and taking note of the email address of the app developer. In this case, that owner was one “firstname.lastname@example.org,” who was obviously not an official representative of Google Inc.
Most users never think to click for more details about an OAuth app, especially when the invite is coming from a person they know and trust. In its efforts to simplify and beautify the permissions page, Google had inadvertently hidden away critical information, that if displayed would have revealed the ruse for what it was.
Google Docs Fixed, OAuth Still Vulnerable
Via Twitter, Google was quick to reassure users that they had “disabled the offending accounts,” and that their abuse team was working to “prevent this kind of spoofing from happening again.” It did not elaborate what steps were being taken to mitigate future attacks, although the simplest solution probably involves exposing the hidden developer information on the OAuth page.
In a lengthier statement, Google later mentioned that less than 0.1% of Gmail users had been affected by the attack. With over a billion users currently active on their platform, it’s safe to say that the phishing attack was at least partially successful in its mission. The OAuth strategy is a standard authentication protocol implemented in similar ways by tech giants such as Facebook, Twitter, and Microsoft, and this is probably not the last we’ve seen of this phishing strategy.
Are you on the lookout for phishing attacks like this? Let us know in the comments.
Images via Google