Google Docs was pulled into a sneaky email phishing attack on Tuesday that was designed to trick users into giving up access to their Gmail accounts.

The phishing emails, which circulated for about three hours before Google stopped them, invited the recipient to open what appeared to be a Google Doc. The teaser was a blue box that said, “Open in Docs.”

In reality, the link led to a dummy app that asked users for permission to access their Gmail account.

screen shot 2017 05 03 at 2.38.57 pmReddit

An example of the phishing email that circulated on Tuesday.

Users might easily have been fooled, because the dummy app was actually named “Google Docs.” It also asked for access to Gmail through Google’s actual login service.

The hackers were able to pull off the attack by abusing the OAuth protocol, a way for internet accounts at Google, Twitter, Facebook and other services to connect with third-party apps.  

The OAuth protocol doesn’t transfer any password information, but instead uses special access tokens that can open account access.

However, OAuth can be dangerous in the wrong hands. The hackers behind Tuesday’s attack appear to have built an actual third-party app that leveraged Google processes to gain account access.

screen shot 2017 05 03 at 2.40.58 pmReddit

The dummy app will try to ask for account permission. 

“The attack is quite clever and it exploits the ability for you to link your Google Account to a third-party application,” said Mark Nunnikhoven, vice president of cloud research at security firm Trend Micro.



Source link