Taking steps to prevent future phishing scams.
Google has updated its app identity guidelines and put new review processes and restrictions on web apps that request user data in response to the phishing scam that popped up last week. It’s all outlined on the Google developer blog, which outlines the new steps web app developers will need to abide by in order to help Google and its users better detect spoofed or misleading app identities.
On May 3, you may have received some suspicious emails with convincing Google Doc links. This was a phishing scam concocted by a third party developer who managed to create a web app that convincingly mimicked Google Docs and quickly spread, spammed users with links requested access to send and receive emails on users’ behalf, along with general access to accounts.
To Google’s credit, it took immediate action and had disabled the offending accounts little over two hours after users first started reporting the issue on social media. In its official response, Google stated it was working on new measures to prevent such things from happening again.
These changes are now in place and may affect how developers go about registering new applications or modify existing applications. The new review process includes a manual review for some web applications asking for data permissions, which Google says may take up to 7 business days to process. Developers will be able to continue testing their applications with accounts registered as an owner or editor of the project, but public accounts will get an error message instead of a permissions consent page.
These changes might be a bit frustrating for those developers who have no malicious intent, but should prevent future phishing scams. Meanwhile, as users, we should always be paying attention to those app permission windows whenever they pop up.