Google Docs phishing attack underscores OAuth security risks


Furthermore, Google reported on Wednesday that it had taken action against the phishing attack that had affected Gmail and Google Docs users.

By clicking on what looked like a standard mail, users ended up giving hackers control over their entire email history, attachments and contacts.

What made the phishing attack so convincing is that the website wasn’t a traditional phish but rather one which leveraged Google’s OAuth authentication interface. The campaign, Reuters said, involves a “novel approach to phishing”, wherein users are asked to click on a Google Docs link to grant access.

Once you clicked on the link inside, you were sent to a legitimate Google Apps page.

It could have been called “Jane” or “Team Spreadsheet” or “Malicious Link”. Google lets you generate passwords for apps that don’t support its two-step verification system, but there’s no need for them in any Google-branded apps in iOS 8.3 or later, and OS X 10.10.3 Yosemite or later. It seems that, lately, this email service has been “attacked” by phishing emails, but Google has found a way to stop them, by releasing a new update for the Gmail application.

Over a million Gmail users got hit by a phishing worm yesterday, sending the security world into a cacophony of screams and laughter. “The company also requested users to report any suspect phishing emails in Gmail”.

The phishing scam attempted to hack a user’s Google account after the user clicks a link that appears to be from a trusted individual.

Rather than identifying the app as Google, the drop-down menu showed the “Google Docs” app seeking third-party access was from a developer with the email [email protected] asking to redirect the recipient to a “Google sounding” URL.

But despite the cunning simplicity of the attack’s presentation – which would have made it hard for many to discern that something was fishy – experts say there were tell-tale signs indicating that something wasn’t right.


Google then told him that “We’re deploying some abuse detection and reactive measures to deal with impostors that might try to abuse this sort of attack”.

Gmail Gets New Security Feature