In May, a phishing campaign took advantage of users of Google Docs. Emails were sent containing a link to Google Docs that appeared to be an invitation to collaborate on a document. The emails contained all the typical branding one would expect from a legitimate request.
However, the request was not sent via Google Docs. It was sent via a third-party app that had been named Google Docs. Clicking the link to accept the request to collaborate on the document actually installed a malicious app.
If a recipient followed the instructions in the email they would grant the app certain permissions. Doing so would see the same request sent to all of their contacts.
While the attacks were limited to approximately 0.1% of Gmail users, that is still a considerable number of people – 0.1% equates to around 1 million users. The attack may have been limited, but it did prompt Google to make a number of changes to make it much harder for apps to plug into Google services such as improving the registration process to make it harder for anonymous individuals to put unknown apps into Google accounts.
The additional changes that have just been introduced improve security further. Users will now be presented with a warning if an app has not been verified. They will be given the option to return to safety, or if they insist on installing the unverified app, they are required to type ‘continue’ before the app will be installed.
The protections have been put in place for new apps that are pending verification, although Google will also roll out the additional protections to existing apps.
Google said, “This new notice will also help developers test their apps more easily. Since users can choose to acknowledge the ‘unverified app’ alert, developers can now test their applications without having to go through the OAuth client verification process first.”
Google says that it has also extended these protections to Apps Scripts that request OAuth access to data, saying the same warning screens will be displayed. Consumers are further protected with a reminder that they should carefully consider whether they trust a particular application before they grant OAuth access.
These additional protections will help to prevent malicious apps from being installed and make it harder for consumer data to be phished by bad actors.