Skip to main content

Google quickly disables phishing scheme, but vulnerability remains

researchers use ambient light sensor data to steal browser exhausted man computer problems desk hacking hackers malware frust
Shutterstock
Internet security is a real pain. Even when you have done everything right and locked everything down tight, a new attack comes along that leverages legitimate sites and services in stealing your private and sensitive data.

That is just what happened Wednesday, as a phishing scheme exploded that used Google’s own OAuth authentication system to grant access to a nefarious web app. Unlike other phishing schemes that use a fake internet address to lure the unexpecting, this attack merely popped up a Google authorization request with a misleading app title.

It’s important to note that Google responded quickly and removed the offending app, thus shutting down this particular phishing scheme. However, the phishing method itself does not seem to have been rectified. Here’s Google’s statement:

“We have taken action to protect users against an email impersonating Google Docs and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”

The issue was originally highlighted on Reddit, where Redditor JakeSteam provided a step-by-step recreation of the attack. The attack has also been seen in the wild by Digital Trends’ own staff, and so we can confirm that these steps are accurately described.

The process was relatively simple. A potential victim received an email offering to share a Google Doc.

JakeSteam/Reddit
JakeSteam/Reddit

Clicking on the “Open in Docs” button popped up a legitimate Google account selection screen, which when clicked returned an equally legitimate Google authentication request to allow the app to access the user’s Gmail and Google contacts information.

Jake Steam/Reddit
JakeSteam/Reddit

It’s only by clicking on the Google Docs’ developer link that the typical user’s suspicion level might be raised. The problem here is that many people might trust an offer to share a Google Docs file and then it would make perfect sense that Google Docs might be the system requesting access.

If you’ve already fallen prey to this phishing scheme, then you will want to disallow that app from accessing your data. You can do that by visiting the Connected Apps and Sites section of Google’s security page and clicking “Manage Apps.” Then click on the Google Docs app in the list, and hit the “Remove” button. Now might be a good time to review all of your connected apps and remove any that aren’t legitimate.

The primarily lesson here is the same as it has been for a long time now: If you aren’t expecting a shared file, then don not click anything when one is offered. If you are not sure who the file is from, then look into the sender and make sure it’s someone you trust.

Google will likely be looking into this issue and hopefully figuring out a way to resolve it. This particular phishing attack was shut down, but the ability to use Google’s legitimate authentication system for attacks is worrisome.

Editors' Recommendations

Mark Coppock
Mark has been a geek since MS-DOS gave way to Windows and the PalmPilot was a thing. He’s translated his love for…
Major tax services are sending your data to Meta and Google
fake irs emails are delivering dangerous new malware this tax season 1040 form being filled out

A new report claims that Meta's tracking Pixel has been used to collect your financial information when using popular tax filing services to send in your return. This is disturbing news for taxpayers that likely assumed these online tax services were keeping such information locked up securely.

The types of data collected vary but are said to possibly include your filing status, adjusted gross income (rounded to the nearest thousand), and the amount of your refund (rounded to the nearest hundred). This information would be quite useful in targeting advertising to those with disposable income and help determine which people to target when tax refunds arrive. As if this wasn't bad enough, your name, phone number, and the names of dependents such as your children are being obfusticated then sent to Meta by some tax filing services. According to the report by The Markup the obfustication is reversible.

Read more
Half of Google Chrome extensions may be collecting your personal data
Google Chrome icon in mac dock.

Data risk management company Incogni has found that half of every installed Google Chrome extension has a high to very high risk of collecting personal data, showing a strong correlation to the number of permissions given.

After analyzing 1,237 Chrome extensions found in the Chrome Web Store, a study by Incogni has uncovered some troubling findings. Nearly half (48.7%) of the extensions were found to potentially expose users' personally identifiable information (PII), distribute malware and adware, and record passwords and financial information.

Read more
Why Google Chrome Incognito Mode isn’t what it claims to be
Google Chrome icon in mac dock.

A seemingly obscure little class-action lawsuit filed in 2021 has exploded into the mainstream news lately, alleging that Google continues to track users when they’re using incognito mode on Chrome.

Of course, any savvy web user knows there’s no such thing as complete privacy on the internet, at least not without running Tor through a VPN tunnel while wearing a Guy Fawkes mask. But it seems what we expect of Google Chrome’s incognito mode and what Google actually does are two different things.

Read more