OAuth oversight allowed Google Docs ‘worm’ to spread like wildfire
Update: For now, it looks like the Google Docs OAuth phishing attack is over. Cloudflare has killed the domain behind the attack. Google has revoked the app’s authentication token, and is marking emails as spam. Continue to be on high alert and do not give permission to any apps with the name “Google” in them.
A Google Docs OAuth phishing attack is spreading like wildfire right now – dozens of business, government offices, and universities have sent out warnings to their users about a Google Docs phishing email.
Most phishing sites attempt to trick you into visiting a fake website designed to imitate the target. This is how the attack that targeted the DNC and John Podesta worked.
Today’s Google Docs phishing attack is using a slightly different strategy. When you click the “Open in Docs” link, you are sent to the *real* Google.com. But instead of being sent to Google Docs, you are asked to give an app permission to access to your account.
This app is named “Google Docs,” but it’s not the real service operated by Google. It’s a malicious app that has simply given itself the same name. The app requests permission to “read, send, delete, and manage your email” and “manage your contacts.” Clicking on the hyperlinked name of the app tells you it’s published by “firstname.lastname@example.org” – a random developer.
If you hit allow, you are granting permission through a genuine Google page to a malicious app. That app now has the ability to automatically send out emails to all your contacts – which is how it is spreading so quickly.
Google uses a standard called “OAuth” to allow third-party services to connect with your Google account and Google APIs. OAuth is used by thousands of legitimate sites to integrate with the data in your account and extend certain functionality.
But today’s attack has shown that OAuth can also be used maliciously and with great effect. The fact that Google has no restrictions on any application information – including names or images, has revealed how trivially easy it is to craft a convincing attack.
Using Google’s legitimate authentication system for malicious purposes cleverly circumvents the protections of two-factor authentication or authorization.
It is unclear what the goal of this attack was. It attracted so much attention to itself by spreading quickly that it ultimately got itself caught. This raises the question if the attack had malicious intent or if it was more of a nuisance.
Because the app had full access to your contacts and email history, it could have easily been copying that data or looking for high-value targets it had compromised.
If you gave access to this app, visit this Google page and “Remove” the malicious “Google Docs” app. At this point, Google has already killed the app on their end, so it should not be able to cause any more harm but you should still clear up your account.