It’s a phishing scheme that even multifactor authentication and changing your password won’t fix.
On Wednesday, a massive Google Docs phishing attack spread across Gmail, hijacking people’s accounts and spamming itself to the victims’ contact lists. Google quickly shut down the attack, which affected about 0.1 percent of Gmail’s users.
Even at that low number, with roughly 1 billion Gmail users, that’s still at least 1 million people being compromised. And the typical phishing detection that Gmail offers couldn’t block it because the attack didn’t even need victims to type in their passwords.
The phishing scam relied on OAuth exploitation, a rare scheme that exposed itself to the world on Wednesday. OAuth, which stands for Open Authorization, lets apps and services “talk” to each other without logging into your accounts. Think about how your Amazon Alexa can read off your Google Calendar events, or how your Facebook friends can see what song you’re listening to on Spotify. In the last three years, apps that use OAuth jumped from 5,500 to 276,000, according to Cisco Cloudlock.
“Now that this technique is widely known, it’s likely to pose a significant problem — there are so many online services which use OAuth and it’s difficult for them to fully vet all of the third-party applications out there,” said Greg Martin, CEO of cybersecurity firm Jask, in an email.
How was the Google Docs exploit different from typical phishing attacks?
A typical phishing attack populates a website meant to trick you into typing your password, sending sensitive information to the thief or logging it in a database.
With OAuth exploits, as in the case of the Google Docs scam, accounts can be hijacked without the user typing in anything. In the Google Docs scheme, the attacker created a fake version of Google Docs and asked for permission to read, write and access the victim’s emails.
By granting the OAuth exploit permission, you’ve effectively given the bad guys access to your account without needing a password.
Why can’t I just change my password?
OAuth doesn’t work through passwords, it works through permission tokens. If a password is a key locking your account’s doors, OAuth is a doorman who has the keys and who gets tricked into letting other people in.
You would need to revoke the permissions to kick out the intruders.
Why doesn’t multifactor authentication stop OAuth exploits?
Multifactor authentications work by prompting you to enter a security code when you try logging in through a password.
Again, in this exploit, passwords are not the entry point. So when hackers use OAuth exploits, they don’t need to enter a password — the victim duped into giving permission already did.
“The applications themselves are not required to have a second factor once the user has granted permissions,” according to Cisco’s research.