Online Address Book Service Plaxo Switching to oAuth After Being used to Access Google Accounts
Plaxo, a popular online address book service, has disabled its API and suspended some services after attackers used them as a proxy to target an unknown number of Google accounts.
In a blog post, Plaxo, which is a subsidiary of cable giant, Comcast, said that they have disabled the AB Widget function within their API, and started moving all connections to Google over to the more secure oAuth method.
The move to oAuth was previously planned, and is already in use for new users. The AB Widget was slated for end of life late last year. The AB Widget is an API function that enabled websites to import address books from other hosted services, including Google. When it was deployed in 2006, the AB Widget was one of the first applications online to offer such a feature.
“Google and Plaxo detected a malicious party misusing Plaxo’s server connection to Google as a means to login to Google accounts using a set of credentials the malicious party obtained on their own. These credentials were not obtained from Plaxo. This party used a function we call the AB Widget which we had slated for retirement to access those accounts hiding behind Plaxo’s proxy,” Plaxo’s GM Preston Smalley wrote.
The shutdown of all connections to Google from Plaxo was taken as a precaution the blog post added, and will remain so until the transition to oAuth is complete.
“Google Sync will remain disabled until we have the more secure oAuth method available at which point you’ll be notified. This is a top priority for Plaxo, to re-enable Google Sync for our customers.”
It’s unclear how the attackers obtained the Google credentials used in the attack. However, both Plaxo and Google are encouraging anyone who received a notice about the failed access attempt to change their passwords immediately.
Looking back, even though the attack was thwarted, it shows that criminals are observant; as they were aware of the Plaxo service and were willing to force them into a middle-man position in order to gain access to additional victims. The overall goal of the attack could be something as small as spam, or depending on the accounts targeted, the initial probe for a larger Phishing attack.
