Gmail fake Docs attack: Now Google tightens OAuth rules to block phishing

Google vows to do more to prevent a repeat of last week's fake Docs phishing attack.
Written by Liam Tung, Contributing Writer

To prevent further fake Docs phishing attacks on Gmail users, Google says it will tighten enforcement of the OAuth system it uses for linking third-party apps to Google accounts.

Google has offered a more detailed explanation of how it plans to counter the abuse of its own systems to spread phishing emails after last week's attack on users with an app that purported to be Google Docs.

The bogus Docs app used Google's OAuth implementation to request access to the Gmail accounts of targets. If users granted the app access, it sent the same phishing email to the user's contacts.

It's not the first time attackers have used Google's OAuth for phishing. The so-called Fancy Bear hackers, who've been pegged for US and now French election hacking, used the same technique. As one security expert points out, Google could have prevented it by more thoroughly checking developers who register to use its OAuth mechanism.

Chet Wisniewski, principal research scientist at security firm Sophos, says the fake Docs phishing attack was "no different than the abuse of the Google Play store by malware authors". Only instead of installing a malicious app from Google Play, the user is receiving a real email from Google and authorizing an app from Google's actual OAuth interface.

"There is very little individuals can do other than be forever suspicious about legitimate requests from services provided by Google, Twitter, Facebook, and other online services that use OAuth with an unvetted application developer program," he writes.

"Attacks on systems that are open for anyone to sign up as a developer using OAuth have been vulnerable to this type of attack for a long time, and the onus is on Google to do a better job vetting application developers," he adds.

As Google previously explained, it has several mechanisms to combat this type of phishing attack, including machine-learning spam detection, its Safe Browsing system, and virus scans on attachments.

However, the company on Friday also said it will update its policies and enforcement on OAuth applications.

"We're taking multiple steps to combat this type of attack in the future, including updating our policies and enforcement on OAuth applications, updating our anti-spam systems to help prevent campaigns like this one, and augmenting monitoring of suspicious third-party apps that request information from our users," wrote Mark Risher, director of Google's Counter Abuse Technology.

Google has also alerted its G Suite customers who were fooled by the phishing attack.

According to Risher, fewer than 0.1 percent of its users were affected. In other words, as many as one million of Google's one billion Gmail users were exposed.

Read more about Gmail and phishing

Editorial standards