Security Experts:

Connect with us

Hi, what are you looking for?



Google Tightens OAuth Rules to Combat Phishing

Following last week’s phishing attack against Gmail users, Google is planning tightened OAuth rules to prevent similar incidents from occurring.

Following last week’s phishing attack against Gmail users, Google is planning tightened OAuth rules to prevent similar incidents from occurring.

Phishing emails, which impersonate a trusted source to trick the recipient into opening a malicious attachment or clicking a suspicious link, have long been a favorite tool for attackers. Google’s email service blocks millions of phishing emails each day, but last week’s incident proved that the system isn’t invincible.

The phishing attack tricked users into granting access to their contact information to a third-party application cleverly named “Google Docs.” The incident resulted in the attacker gaining access to all of the affected users’ email content, as well as in the phishing attack immediately propagating to all of the victim’s contacts.

The phishing emails, which appeared to arrive from someone in the victim’s contact list, claimed to contain a link to Google Docs content that the sender wanted to share with the recipient. Once the user clicked on the link, they were taken to a legitimate Google sign-in page, where they were asked to authorize an app called “Google Docs,” thus allowing it to read, send, delete, and manage emails and contacts.

Google was able to spot and block the attack fast, but the incident meant that immediate actions that users might have taken, such as changing passwords, had no effect. Because OAuth was used, the attackers still had access to the account, and only removing permissions for the offending app could solve the issue.

“We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again,” Google said after the incident.

Now, the company reveals that it is updating its policies and enforcement on OAuth applications to prevent similar attacks from happening in the future. Moreover, updates to Google’s anti-spam systems should help prevent similar campaigns, and augmented monitoring of suspicious third-party apps that request information from users should add an extra layer of security.

“We’re committed to keeping your Google Account safe, and have layers of defense in place to guard against sophisticated attacks of all types, from anti-hijacking systems detecting unusual behavior, to machine learning models that block malicious content, to protection measures in Chrome and through Safe Browsing that guard against visiting suspicious sites,” Google says.

What should be noted is that the concept of launching such an attack isn’t new. It was first presented in 2011 by André DeMarre, and then thoroughly detailed by Greg Carson in February 2017.

In fact, the cyber espionage group known as Pawn Storm (aka Fancy Bear, APT28) was observed using the very same technique in the past. Trend Micro recently revealed that this actor’s phishing scheme employed an application dubbed Google Defender, while abusing “the same legitimate OAuth connection to exploit the user’s lack of knowledge of available services.”

In an emailed statement to SecurityWeek, Jaime Blasco, Chief Scientist at AlienVault, shared a similar point of view: “This is similar to what APT28 (the group behind the DNS hack, France election groups attacks, etc) was using a while back. I don’t believe they are behind this though because this is way too widespread. Many people/organizations have received similar attempts so this is probably something massive and less targeted.”

According to Google, less than 0.1% of Gmail users were impacted by last week’s “Google Docs” incident, but, as Talos’ Sean Baird and Nick Biasini point out, this proof-of-concept did reveal that a convincing Google phish via OAuth is possible.

To further protect users from such attacks, Google also announced anti-phishing security checks for Gmail for Android. Thus, users will be warned when clicking on suspicious links they receive via email, which should help prevent them from disclosing financial and personal information.

Related: Google Docs Phishing Scam Doused After Catching Fire

Related: Google to Revoke OAuth 2.0 Tokens Upon Password Reset

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...