On Wednesday, millions of Google users received an email from a contact, asking them to edit a Google Doc. The email was actually a phishing attack that gave hackers access to Google accounts.
How Did This Happen?
Oh, clever evil people. You’ve outdone yourselves this time. Clicking on the link brought victims not to an actual Google Doc… it was a malicious app NAMED Google Docs. This malicious app, like many third-party apps, used a sign-on system called OAuth. Google uses OAuth to let third-party apps create Google-based logins that make it easier for us to get around the web.
So when the victims clicked on the Google Doc link, the malicious app NAMED Google Doc asked for permissions to login. The authorization was something we do every day without thinking, and the familiarity of the screens and process made it very hard for normal humans to recognize this as a phishing attempt. The bad guys didn’t get victims’ passwords, but they did get access to the victims’ Google accounts, which they used to send more of the bogus emails from other unsuspecting Google users.
Is Google at Fault?
The short answer is no… Google wasn’t hacked, nor did the phishing attack occur inside the Google infrastructure. But Google’s defense mechanisms didn’t click in to protect users until the scam hit the news. And this scam unveiled the weakness of OAuth, which many, many sites use.
Is the Problem Fixed?
Well, kinda. Ok, not really. Google disabled the bogus app, but another security expert was able to create another bogus app called Google Docs, but this time he replaced one of the Google “o”s with a cyrillic “o,” which looks exactly the same.
So How Can We Protect Ourselves from Scams Like This?
The best advice is the same we’ve been giving for years…. Never, ever, ever click on a link if you don’t know that the person is sending you something. If it’s out of the blue, give the person a call to verify. Take this precaution even if it’s your favorite aunt who sends you something. Beyond that, The New York Times has some great advice, including a recommendation to use two-factor authentication, the theme of this year’s World Password Day.