A Google Docs phishing attack that abused OAuth tokens gave attackers full access to users' Gmail accounts and...
contacts. Google shut down the attack within an hour of learning of it, disabling the attackers' email accounts and putting other protections in place. How did the attackers exploit OAuth in order to gain access to victims' Gmail accounts?
Google touts the security of its infrastructure, and it does a very good job of securing that infrastructure. That secure infrastructure means Google and its customers only need to address application security, which can make life significantly easier for developers. This still leaves application layer security to the developers, and potentially even the users.
In the recent Google Docs phishing attack, Google's secure infrastructure was bypassed to compromise a significant number of user accounts. The attack was carried out by an app called Google Docs in an attempt to fool users into believing it was legitimately offered by Google; as many as 1 million Gmail users may have been affected by the campaign.
The impact on consumer accounts was not trivial, but for enterprises that use Google Docs, this could have been a much more significant event, especially if they store sensitive enterprise data in Google Docs.
The Google Docs phishing attack abused OAuth to give the attackers full access to users' Gmail accounts and contacts. The attackers apparently posed as a legitimate third party and were granted access to Google's OAuth APIs. This enabled them to generate legitimate OAuth tokens for the fake Google Docs app.
The phishing attack looked like a legitimate request to grant access for an application named Google Docs to the target users' accounts, which then set up an OAuth token to access the users' accounts from the malicious application. Google responded to the incident quickly by disabling the attackers' accounts and revoking their access to the compromised accounts; the company also pledged to update policies and enforcement for third-party usage of OAuth APIs.
Enterprises that want to proactively evaluate the security of cloud applications or accounts can script tools using Google APIs to check what third-party applications, integrations or other accounts have access to a specific account. Minimally, Google Security Account Checkup could be used to secure accounts. Cloud access security broker tools can also automate many of these checks and more to address cloud security.
Find out how insecure OAuth implementations can threaten mobile app users
Learn how a malicious app slipped by Google Play app store security
Read how the Pokemon GO app was issued a full access OAuth token
Dig Deeper on Web authentication and access control
Related Q&A from Nick Lewis
A new remote access Trojan called UBoatRAT was found spreading via Google services and GitHub. Learn how spotting command-and-control systems can ... Continue Reading
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about ... Continue Reading
The use of botnets to spread Scarab ransomware intensifies the threat for enterprises. Discover the best way to respond to such a threat and protect ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.