Massive Google Phishing Attack Highlights OAuth's Flaws

Google announced yesterday that Gmail for Android will soon warn you about potentially malicious emails. The company's timing couldn't have been more ironic, because on the same day, roughly 1 million people were affected by a phishing attack that stole information from their Google accounts.

The attack worked by tricking people into giving a malicious app permission to access their Google accounts. How? By sending emails that appeared to come from Google Docs, the collaborative productivity suite, which bore a link to a Google sign-in page. Once there, an app called "Google Docs" requested permission to access the victim's Google account. If those permissions were granted, the attacker had almost total access to the account, which meant they could "read, send, delete, and manage your email" and "manage your contacts" without alerting Google's security features.

That entire process--from receiving the spoofed email to giving the attacker total access to your account--could take just a few seconds. Many people send files to each other via Google Docs, and because the spoofed emails appeared to come from someone the victim knew, most probably didn't think twice before clicking the malicious link. From there, why wouldn't you let Google Docs access your account? Both are offered by Google, after all, and it's not hard to imagine a less technically savvy individual just assuming that Google had changed something in its services to require new permissions.

This isn't a new problem. Researchers warned back in 2011 that OAuth systems, which Google and other companies use to provide other services access to your account, could allow this kind of attack. All someone has to do is make it seem like their app is legitimate by, say, calling it "Google Docs." Then, as long as victims trust the OAuth system, they probably won't think twice about providing access to their accounts.

The attack broke down under scrutiny--clicking on the Google Docs name on the sign-in page revealed the attacker's email address--but many will just take that sort of thing at face value.

A Common Problem

Many services request access to other accounts. Google, Facebook, and Twitter especially have many apps or websites that work on top of their own products. (Think a third-party email app, for example, or a Twitter client.) Most of those apps can be trusted. But even before this attack, we've learned in recent months that letting other companies access your personal accounts can backfire. Twitter showed this in March, when accounts were hijacked to post swastikas and other offensive content. The accounts themselves weren't compromised--they just used a service, Twitter Counter, that was hacked.

Even more recently, a service called Unroll.me caused an uproar for selling personal data collected from people who used its service. The tool requests access to your email account to help you unsubscribe from unwanted promotional messages; it then uses that access to look at receipts and collect other information that's anonymized and sold to other companies. (Someone claiming to work for a company that almost acquired Unroll.me also alleged on Hacker News that the startup kept copies of every email you sent or received while you used its service.)

The reality is that modern companies don't want you to think about to whom you offer access to your personal information, how that information is used, or where that information goes. Many have focused on making life as "frictionless" as possible. The end result is an ecosystem where 0.1% of Google users--that's 1 million people--could have their lives upended because they didn't stop to think about an app requesting access to their accounts. But, again: Why would they? Google, Facebook, Twitter, and the companies that build on top of their services have trained them not to.

Google's Response

Google acknowledged the attack in a series of tweets from the official Google Docs account. It also released this statement:

Here's a link to that Security Checkup page. You can find all the apps connected to your account in the "check your account permissions" section. The app you're looking for in this case is called Google Docs--even if you use that service, there's no legitimate reason for it to appear here. While you're there, you might want to see if there are apps you aren't using that still have access to your account. And if you were affected by this attack, you should know two things: that this is why phishing attacks are so dangerous, and that you can take comfort in knowing you're in good company. Google and Facebook were phished between 2013 and 2015. The attacker didn't get away with their emails--they stole $100 million.

Let's be clear, too, in saying that the new protections in Gmail for Android aren't ironic just because they were announced the same day as this large-scale phishing attack. No, it's because this attack happened when Google's security system worked as intended. An app wanted permission to access someone's accounts, those people gave that permission, and then Google handled the rest. The only rubs were that the app was malicious, that it masqueraded as a Google service to trick people, and that it succeeded because Gmail didn't flag those emails.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • clonazepam
    The emails were all sent to a public email address. It was kind of interesting to see that this phishing scam penetrated several .edu, .org, and .gov email addresses. I hope someone in Utah's DHS (and obviously everyone else) gets a refresher. If you knew where to look, you could see all who had been duped.
    Reply