{"id":4036,"date":"2017-05-05T17:01:31","date_gmt":"2017-05-05T21:01:31","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=4036"},"modified":"2017-06-01T17:24:54","modified_gmt":"2017-06-01T21:24:54","slug":"google-oauth-permissions","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/google-oauth-permissions\/","title":{"rendered":"\u201cGoogle Docs\u201d Phishing Attack Highlights Flaws with Google\u2019s OAuth Permissions"},"content":{"rendered":"<h2>One Click To Give An App Total Control Of Your Account<\/h2>\n<p><span id=\"newline\">Earlier this week, <a href=\"https:\/\/www.thesslstore.com\/blog\/google-docs-oauth-phishing\/\">a massive phishing campaign targeted Google users <\/a>with a malicious app named \u201cGoogle Docs\u201d and attempted to trick them into giving the app legitimate access to their account through Google\u2019s OAuth API.<\/span><\/p>\n<p>The attack spread incredibly quickly &#8211; the first known phishing email <a href=\"https:\/\/twitter.com\/cooperq\/status\/859917341617868802\" rel=\"nofollow\">was sent at 2:27pm EST<\/a> and about an hour later Google had stopped the attack by revoking the malicious app\u2019s API token. As <a href=\"https:\/\/motherboard.vice.com\/en_us\/article\/massive-gmail-google-doc-phishing-email\" rel=\"nofollow\">many as a million accounts<\/a> may have been compromised in that small window.<\/p>\n<p>The attack is being referred to as \u201cdynamite phishing\u201d because of how many users it affected and it&#8217;s totally indiscriminate targets. The name also emphasizes the difference in tactics compared to \u201cspearphishing,\u201d an extremely narrow and tailored attack, which has been used in high-profile hacks of political figures.<\/p>\n<p>Now that the dust has settled, there is no indication the attack had malicious intent &#8211; code found by researchers suggests the primary purpose was replicating and spreading itself. It is entirely possible that emails and contact lists were downloaded and are being saved for a later use, but we likely won\u2019t know until the next attack is underway.<\/p>\n<p>Harm aside, this incident has raised a lot of questions about the OAuth standard and Google\u2019s implementation of it.<\/p>\n<p>Looking at the attack, it is clear that there were multiple failings in Google\u2019s design of their permission page, as well as bigger picture issues with one-click access to your personal data.<\/p>\n<h2>Why does Google allow apps to give themselves the same name as legitimate Google services?<\/h2>\n<p>The primary reason this attack was successful was because users were directed to a legitimate Google OAuth page asking them to give permission to \u201cGoogle Docs.\u201d Hiding the app\u2019s author behind a hyperlink didn\u2019t help either.<\/p>\n<p>What everyday user is going to be suspicious of a Google.com page asking \u201cGoogle Docs\u201d to access your Google account?<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4042\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/05\/google-oauth-permissions-1.png\" alt=\"google oauth permissions\" width=\"795\" height=\"219\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/05\/google-oauth-permissions-1.png 795w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/05\/google-oauth-permissions-1-300x83.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/05\/google-oauth-permissions-1-768x212.png 768w\" sizes=\"auto, (max-width: 795px) 100vw, 795px\" \/><\/p>\n<p>This was possible because Google <a href=\"https:\/\/twitter.com\/iandees\/status\/859857282074644481\" rel=\"nofollow\">does not perform any sort of validation<\/a> of the app name, icon, or URL, allowing anyone to mimic legitimate services. Any popular app or service could be easily spoofed.<\/p>\n<p>Working in the world of URLs, I know <a href=\"https:\/\/www.xudongz.com\/blog\/2017\/idn-phishing\/\" rel=\"nofollow\">how difficult it can be to prevent spoofing<\/a>. But let\u2019s start by blocking literal strings such as \u201cGoogle Docs\u201d &#8211; or anything with \u201cGoogle\u201d or any similar spellings. There is no legitimate reason third-party apps need to be using \u201cGoogle\u201d in their name &#8211; and this attack has shown just how effective this tactic is.<\/p>\n<p>To add insult to injury, Motherboard has found that this exact attack <a href=\"https:\/\/motherboard.vice.com\/en_us\/article\/google-hackers-gmail-viral-phishing-campaign\" rel=\"nofollow\">was reported to Google<\/a> and publicly posted as a concept more than 6 years ago.<\/p>\n<h2>Why does Google not identify first-party services?<\/h2>\n<p>Google allows you to <a href=\"https:\/\/security.google.com\/settings\/security\/permissions\" rel=\"nofollow\">manage the apps connected<\/a> to your account through a page that lists each app, the permissions it has, and the date it was first authorized.<\/p>\n<p>What they don\u2019t show you is any clear identification of the app\u2019s author. We know that the malicious \u201cGoogle Docs\u201d app was published by the account \u201c<a href=\"mailto:eugene.pupov@gmail.com\" rel=\"nofollow\">eugene.pupov@gmail.com<\/a>.\u201d But <a href=\"https:\/\/twitter.com\/tomwarren\/status\/859856662835941376\/photo\/1\" rel=\"nofollow\">that information is not shown<\/a> on the permissions management page, nor is there any indicator the app is published by a third-party.<\/p>\n<p>Below is a screenshot of my account, where \u201cGoogle Chrome\u201d is listed as a connected app because I have signed into my browser with my account. How do I tell if this is legitimate or another malicious app?<\/p>\n<p>Why is there no way to differentiate between this first-party service provided by Google itself and other apps?<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4041\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/05\/google-oauth-permissions-2.png\" alt=\"google oauth permissions\" width=\"975\" height=\"694\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/05\/google-oauth-permissions-2.png 975w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/05\/google-oauth-permissions-2-300x214.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/05\/google-oauth-permissions-2-768x547.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/p>\n<h2>Why are Google OAuth permissions so broad?<\/h2>\n<p>An app that wants to connect to your Gmail account has <a href=\"https:\/\/developers.google.com\/identity\/protocols\/googlescopes#gmailv1\" rel=\"nofollow\">10 different permissions<\/a> it can request. These permissions come with a varying degree of access. They can essentially get full control over your email with the permission to \u201cread, send, delete, and manage your email.\u201d<\/p>\n<p>The most restrictive permission only gives \u00a0access to add, modify, and delete mail labels (or maybe its \u201cmanage basic mail settings\u201d &#8211; but after 30 minutes of Googling I couldn\u2019t figure out what that encompassed).<\/p>\n<p>But what do all of 10 of the permissions have in common? They are all scoped to the entire Gmail account. My Gmail inbox goes back to 2006 &#8211; before I was 18.<\/p>\n<p>I can only imagine the terrible security hygiene I had then and what sort of personal information has accumulated in emails and drafts over more than a decade of inbox history. Should I be deleting old emails? Yes, probably. But expecting every end-user to manage their inbox is never going to be a reasonable solution here.<\/p>\n<p>The depth of access is the problem here. No app should be able to get total read\/write access to your entire email account through one button press.<\/p>\n<p>It is clear that there are major problems with Google\u2019s handling of permissions and third-party access.<\/p>\n<p>Some security professionals have been taking the outrage further and saying OAuth is the problem. But given the size of this attack, is it not impressive that Google was able to stop everything by revoking a single app\u2019s OAuth token?<\/p>\n<p>I am not convinced the issue is inherent to OAuth or similar systems. The problem is that Google seems to have done the bare minimum when it comes ensuring their OAuth ecosystem is safe, with little consideration put into reasonable permissions and clear UI.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One Click To Give An App Total Control Of Your Account Earlier this week, a massive phishing campaign targeted Google users with a malicious app named \u201cGoogle Docs\u201d and attempted&#8230;<\/p>\n","protected":false},"author":2,"featured_media":4043,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[131,166],"class_list":["post-4036","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-google","tag-phishing","post-with-tags"],"views":8379,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/05\/iStock-458969127.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/4036","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=4036"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/4036\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/4043"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=4036"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=4036"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=4036"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}