About 1 million Gmail users were attacked in a phishing
scam earlier this week using Google Docs.
However, according to the company, less than 0.1 percent
of Gmail users were only affected.
Last year, the number of active monthly users of Gmail were
more than 1 billion.
Google shut down the phishing scam within an hour, it
said, through both automatic and manual actions. the fake pages and
applications were removed, and updates were rolled out through Safe Browsing,
Gmail and other anti-abuse systems.
In response to the attack, the users neither have need to
worry about nor require to take any action on their own, Google said, but those
who have connected to their account to third-party apps and wanted to review,
could do so at its Security Checkup site.
Recently Google, launched a new anti-phishing security
feature to Gmail on Android, at the same time. The new feature shows a warning
when a user clicks on a malicious link in an email message, alerting them that
the site they're trying to visit contains link that has been identified as a phishing
act. Users can get back or continue to the link at their own risk.
Google is increasingly rolling out the new feature to all
G Suite users.
the Docs Attack Went Down
This week's Docs attack was a constructive technique to tempt
users before Google clamped down.
People received an email from a known person inviting
them to click on a link to collaborate on a Google Doc.
Clicking on the "Open in Docs" link redirected
them to a fake Google OAuth 2.0 page to authorize the Google Docs application.
The application noted that Google Docs would like to
read, send, delete and manage the recipient's email and manage their contacts,
requests that are common to several applications that use Google as an
When the permission was granted, the attacker got access
to the address book of the victim, which spread the attack with the speed of
light to go viral.
The OAuth Vulnerability
Ayse Firat, director of analytics and customer insights
at Cisco Cloudlock said that, the attack leveraged OAuth, "a ubiquitous
industry standard protocol that provides a secure way for Web applications and
services to connect without requiring users to share their account credentials
with those applications”.
"Because it's so universally adopted by almost all
Web-based applications and platforms that includes consumer as well as
enterprise applications such as Google Apps, Office 365, Salesforce, LinkedIn
and many others, it provides a broad attack surface” she told TechNewsWorld
OAuth 2.0 is highly conscious to phishing as every
website using it asks end users for the username and password of their master
identity. Three years ago, Cisco CLoudlock have found more than 275,000 OAuth
apps connected to core cloud services, like Office 365, compared with only
Firat warned, “the attacks that are based on OAuth, bypass
all standard security layers, including next-generation firewalls, single
sign-ons, secure Web gateways, multifactor authentication and more".
Consequences of Using OAuth
With software vendors increasingly putting their
applications in the cloud, how great a risk do OAuth's vulnerabilities pose for
Michael Jude, a program manager at Stratecast/Frost &
Sullivan said that most of the cloud services are much secure, and OAuth-based
attacks likely will not be successful if services depending on the protocol are
He also suggested that OAuth authentication is bigger
than just online apps. It's also a basic establishment protocol that could
become important in social media efforts to become more akin to common carriage
operations for communications.
Jude warned, OAuth has to be done right, or there's no
future for social media-mediated communication services.
Against OAuth-Based Attacks
Firat suggested, Firms require to develop a high-level tight
strategy as well as a specific application use policy to decide how they will
whitelist or ban applications, and share this vision with their end users.
Individual users should go into their Google account
security settings and revoke permissions to applications they don't know or
trust, she recommended. They should also never grant permissions to
applications that request excessive access."
Efforts have been launched to incorporate stricter
security requirements into OAuth, Frost's Jude said, "but I haven't heard
of any particular availability."