If you clicked through the Google Docs invite, head to this page: https://myaccount.google.com/permissions. The attackers were able to automate contact collection to spread the attack, and the fake web app also requested access to read, send, delete, and manage Gmail accounts.
Here’s how it worked. Google suggests a good rule of thumb is that if you don’t know the person sending you an email, you shouldn’t open it or send account information to any of the links inside. If someone clicked on the fake Google Doc, the bug would email itself to their entire contact book. So far, so phishy.
In a tweet, Google said it is investigating a phishing email that appears as Google Docs. After you enter your password, it then takes you to a third-party site which asks you for permission to access your email account.
“While not all affected email will necessarily be unsafe, we encourage you to be extra careful about clicking on links in messages that you’re not sure about”, Google wrote.
What happens is when if open the doc (please don’t), hackers can get control of email, which may mean they can possibly get control of your Facebook, Twitter, or other accounts.
“We all use Google Docs”, Dori Horvath of Green Brook, New Jersey, who fell victim to the scam, said. Few days ago, internet users were receiving malicious invitations to log on to their Google accounts.
Google did not immediately say how many users were affected by the scam, but Roxbury, Somerset Hills and Wayne Township Public Schools say that they were affected, along with NJIT police. By clicking on its name in “to continue to Google Docs” users were able to detect that it wasn’t a genuine Google Doc. The vulnerability was exposed for only about one hour, and affected about 1 million users. Clicking on the invitation led to a real Google account selection screen. You can revoke access by removing this Google Docs app from your permissions.