Breaking News

ASUS Republic of Gamers Announces Availability of Swift OLED PG27AQWP-W and Strix OLED XG27AQWMG ASUS Announces Prime AP303 Compact Mid-Tower ATX Case Canon launches versatile EOS R6 Mark III and innovative RF 45mm F1.2 STM lens uHoo Launches Caeli – The Smart Air Quality Monitor DJI Introduces Osmo Mobile 8 with Intelligent Subject Tracking

logo

Google Tightens OAuth Rules to Block Phishing

Google Tightens OAuth Rules to Block Phishing

Enterprise & IT 0

Google is taking action to prevent a repeat of last week's fake Docs phishing attack, by tightening enforcement of the OAuth system it uses for linking third-party apps to Google accounts.

Lats week, Google's systems were abused to spread phishing emails using an app that purported to be Google Docs. The bogus Docs app used Google's OAuth implementation to request access to the Gmail accounts of targets. If users granted the app access, it sent the same phishing email to the user's contacts.

Chet Wisniewski, principal research scientist at security firm Sophos, says the fake Docs phishing attack was "no different than the abuse of the Google Play store by malware authors". Only instead of installing a malicious app from Google Play, the user is receiving a real email from Google and authorizing an app from Google's actual OAuth interface.

"There is very little individuals can do other than be forever suspicious about legitimate requests from services provided by Google, Twitter, Facebook, and other online services that use OAuth with an unvetted application developer program," he writes.

"Attacks on systems that are open for anyone to sign up as a developer using OAuth have been vulnerable to this type of attack for a long time, and the onus is on Google to do a better job vetting application developers," he adds.

Google has several mechanisms to combat this type of phishing attack, including machine-learning spam detection, its Safe Browsing system, and virus scans on attachments.

However, the company on Friday also said it will update its policies and enforcement on OAuth applications.

"We're taking multiple steps to combat this type of attack in the future, including updating our policies and enforcement on OAuth applications, updating our anti-spam systems to help prevent campaigns like this one, and augmenting monitoring of suspicious third-party apps that request information from our users," wrote Mark Risher, director of Google's Counter Abuse Technology.

Google has also alerted its G Suite customers who were fooled by the phishing attack.

Related Posts