Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Google Warns Users of Potentially Risky Web Apps

Google is taking another step to better protect users from malicious third-party web applications: it is now warning users of newly created web apps and Apps Scripts that are pending verification.

Google is taking another step to better protect users from malicious third-party web applications: it is now warning users of newly created web apps and Apps Scripts that are pending verification.

The move follows a series of similar protective measures the Internet giant announced earlier this year, after many of its users were hit by a phishing attack where a rogue app was found impersonating Google Docs. To prevent similar incidents, the company tightened OAuth rules and also started scrutinizing new web apps that request user data.

The new warning screen will be accompanied by changes expected to improve the developer experience, the company says, adding that the verification process and the new warnings will expand to existing apps in the coming months.

The new “unverified app” screen that users will see when accessing newly created web applications and Apps Scripts that require verification will replace the “error” page that has been served to developers and users over the past several months. The screen will appear before users are taken to the permissions consent screen, thus only informing users of the app not being yet verified.

Through these new notices, users will be automatically informed if they may be at risk, thus helping them make more informed decisions to keep their information safe. The testing and developing of applications should also be simplified.

“This will help reduce the risk of user data being phished by bad actors. This new notice will also help developers test their apps more easily,” Naveen Agarwal, Identity team, and Wesley Chun, Developer Advocate, G Suite, note in a blog post.

Users have the option to dismiss the alert, which allows developers to test applications without going through the OAuth client verification process first. Google has published a series of steps in a help center article to provide information on how to begin the verification process to remove the interstitial and prepare their app for launch.

The same protections are being applied to Apps Script beginning this week, meaning that all new Apps Scripts requesting OAuth access to data from users in other domains may also get the “unverified app” alert. Additional information was published in a verification documentation page.

“Apps Script is proactively protecting users from abusive apps in other ways as well. Users will see new cautionary language reminding them to ‘consider whether you trust’ an application before granting OAuth access, as well as a banner identifying web pages and forms created by other users,” Agarwal and Chun say.

Next, Google is planning an expansion of the verification process to existing apps as well, meaning that developers of some current apps may have to go through the verification flow. To ensure no issue will hinder the transition, developers should make sure their contact information is up-to-date.

“In the Google Cloud Console, developers should ensure that the appropriate and monitored accounts are granted either the project owner or billing account admin IAM role. In the API manager, developers should ensure that their OAuth consent screen configuration is accurate and up-to-date,” Google says.

The company has published help center articles to provide detailed information on granting IAM roles and on configuring the consent screen.

Related: Google to Scrutinize Web Applications Requesting User Data

Related: Google Tightens OAuth Rules to Combat Phishing

Related: Google Docs Phishing Scam Doused After Catching Fire

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...