Breaking News

G.SKILL Showcases DDR5-9200 1.1V 16GBx2 High-Speed CU-DIMM Memory Kit Sony Introduces BRAVIA 9 II and BRAVIA 7 II RGB TVs and the BRAVIA Theatre Trio Creative Announces Sound Blaster AE-X Acer Expands Gaming Portfolio With Predator Atlas 8 Handheld Powered by Intel COLORFUL Presents Limited Edition iGame GeForce RTX 5070 Ultra OC 12GB x 007 First Light Edition

logo

Google Tightens OAuth Rules to Block Phishing

Google Tightens OAuth Rules to Block Phishing

Enterprise & IT 0

Google is taking action to prevent a repeat of last week's fake Docs phishing attack, by tightening enforcement of the OAuth system it uses for linking third-party apps to Google accounts.

Lats week, Google's systems were abused to spread phishing emails using an app that purported to be Google Docs. The bogus Docs app used Google's OAuth implementation to request access to the Gmail accounts of targets. If users granted the app access, it sent the same phishing email to the user's contacts.

Chet Wisniewski, principal research scientist at security firm Sophos, says the fake Docs phishing attack was "no different than the abuse of the Google Play store by malware authors". Only instead of installing a malicious app from Google Play, the user is receiving a real email from Google and authorizing an app from Google's actual OAuth interface.

"There is very little individuals can do other than be forever suspicious about legitimate requests from services provided by Google, Twitter, Facebook, and other online services that use OAuth with an unvetted application developer program," he writes.

"Attacks on systems that are open for anyone to sign up as a developer using OAuth have been vulnerable to this type of attack for a long time, and the onus is on Google to do a better job vetting application developers," he adds.

Google has several mechanisms to combat this type of phishing attack, including machine-learning spam detection, its Safe Browsing system, and virus scans on attachments.

However, the company on Friday also said it will update its policies and enforcement on OAuth applications.

"We're taking multiple steps to combat this type of attack in the future, including updating our policies and enforcement on OAuth applications, updating our anti-spam systems to help prevent campaigns like this one, and augmenting monitoring of suspicious third-party apps that request information from our users," wrote Mark Risher, director of Google's Counter Abuse Technology.

Google has also alerted its G Suite customers who were fooled by the phishing attack.

Related Posts