Breaking News

Sharkoon announces Rebel P20 White CASIO at GESS Dubai 2024 LIAN LI Launches the Ultimate Motorized Desk-Station with the DK07 Getting started with PlayStation 5 Pro, out today NIKON announces Z50II

logo

Google Tightens OAuth Rules to Block Phishing

Google Tightens OAuth Rules to Block Phishing

Enterprise & IT 0

Google is taking action to prevent a repeat of last week's fake Docs phishing attack, by tightening enforcement of the OAuth system it uses for linking third-party apps to Google accounts.

Lats week, Google's systems were abused to spread phishing emails using an app that purported to be Google Docs. The bogus Docs app used Google's OAuth implementation to request access to the Gmail accounts of targets. If users granted the app access, it sent the same phishing email to the user's contacts.

Chet Wisniewski, principal research scientist at security firm Sophos, says the fake Docs phishing attack was "no different than the abuse of the Google Play store by malware authors". Only instead of installing a malicious app from Google Play, the user is receiving a real email from Google and authorizing an app from Google's actual OAuth interface.

"There is very little individuals can do other than be forever suspicious about legitimate requests from services provided by Google, Twitter, Facebook, and other online services that use OAuth with an unvetted application developer program," he writes.

"Attacks on systems that are open for anyone to sign up as a developer using OAuth have been vulnerable to this type of attack for a long time, and the onus is on Google to do a better job vetting application developers," he adds.

Google has several mechanisms to combat this type of phishing attack, including machine-learning spam detection, its Safe Browsing system, and virus scans on attachments.

However, the company on Friday also said it will update its policies and enforcement on OAuth applications.

"We're taking multiple steps to combat this type of attack in the future, including updating our policies and enforcement on OAuth applications, updating our anti-spam systems to help prevent campaigns like this one, and augmenting monitoring of suspicious third-party apps that request information from our users," wrote Mark Risher, director of Google's Counter Abuse Technology.

Google has also alerted its G Suite customers who were fooled by the phishing attack.

Related Posts