About 1 million Gmail users were attacked in a phishing
scam earlier this week using Google Docs.
However, according to the company, less than 0.1 percent of Gmail users were only affected.
Last year, the number of active monthly users of Gmail were more than 1 billion.
Google shut down the phishing scam within an hour, it said, through both automatic and manual actions. the fake pages and applications were removed, and updates were rolled out through Safe Browsing, Gmail and other anti-abuse systems.
In response to the attack, the users neither have need to worry about nor require to take any action on their own, Google said, but those who have connected to their account to third-party apps and wanted to review, could do so at its Security Checkup site.
Recently Google, launched a new anti-phishing security feature to Gmail on Android, at the same time. The new feature shows a warning when a user clicks on a malicious link in an email message, alerting them that the site they're trying to visit contains link that has been identified as a phishing act. Users can get back or continue to the link at their own risk.
Google phishing warning
Google is increasingly rolling out the new feature to all G Suite users.
How the Docs Attack Went Down
This week's Docs attack was a constructive technique to tempt users before Google clamped down.
People received an email from a known person inviting them to click on a link to collaborate on a Google Doc.
Clicking on the "Open in Docs" link redirected them to a fake Google OAuth 2.0 page to authorize the Google Docs application.
The application noted that Google Docs would like to read, send, delete and manage the recipient's email and manage their contacts, requests that are common to several applications that use Google as an authentication mechanism.
When the permission was granted, the attacker got access to the address book of the victim, which spread the attack with the speed of light to go viral.
The OAuth Vulnerability
Ayse Firat, director of analytics and customer insights at Cisco Cloudlock said that, the attack leveraged OAuth, "a ubiquitous industry standard protocol that provides a secure way for Web applications and services to connect without requiring users to share their account credentials with those applications”.
"Because it's so universally adopted by almost all Web-based applications and platforms that includes consumer as well as enterprise applications such as Google Apps, Office 365, Salesforce, LinkedIn and many others, it provides a broad attack surface” she told TechNewsWorld
OAuth 2.0 is highly conscious to phishing as every website using it asks end users for the username and password of their master identity. Three years ago, Cisco CLoudlock have found more than 275,000 OAuth apps connected to core cloud services, like Office 365, compared with only 5,500.
Firat warned, “the attacks that are based on OAuth, bypass all standard security layers, including next-generation firewalls, single sign-ons, secure Web gateways, multifactor authentication and more".
The Consequences of Using OAuth
With software vendors increasingly putting their applications in the cloud, how great a risk do OAuth's vulnerabilities pose for end users?
Michael Jude, a program manager at Stratecast/Frost & Sullivan said that most of the cloud services are much secure, and OAuth-based attacks likely will not be successful if services depending on the protocol are otherwise secured.
He also suggested that OAuth authentication is bigger than just online apps. It's also a basic establishment protocol that could become important in social media efforts to become more akin to common carriage operations for communications.
Jude warned, OAuth has to be done right, or there's no future for social media-mediated communication services.
Protecting Against OAuth-Based Attacks
Firat suggested, Firms require to develop a high-level tight strategy as well as a specific application use policy to decide how they will whitelist or ban applications, and share this vision with their end users.
Individual users should go into their Google account security settings and revoke permissions to applications they don't know or trust, she recommended. They should also never grant permissions to applications that request excessive access."
Efforts have been launched to incorporate stricter security requirements into OAuth, Frost's Jude said, "but I haven't heard of any particular availability."