Maksim Kabakou - Fotolia

Google Docs phishing attack: How does it work?

A Google Docs phishing attack used OAuth tokens to affect more than a million Gmail users. Nick Lewis explains how it happened, and how to defend against such an attack.

A Google Docs phishing attack that abused OAuth tokens gave attackers full access to users' Gmail accounts and contacts. Google shut down the attack within an hour of learning of it, disabling the attackers' email accounts and putting other protections in place. How did the attackers exploit OAuth in order to gain access to victims' Gmail accounts?

Google touts the security of its infrastructure, and it does a very good job of securing that infrastructure. That secure infrastructure means Google and its customers only need to address application security, which can make life significantly easier for developers. This still leaves application layer security to the developers, and potentially even the users.

In the recent Google Docs phishing attack, Google's secure infrastructure was bypassed to compromise a significant number of user accounts. The attack was carried out by an app called Google Docs in an attempt to fool users into believing it was legitimately offered by Google; as many as 1 million Gmail users may have been affected by the campaign.

The impact on consumer accounts was not trivial, but for enterprises that use Google Docs, this could have been a much more significant event, especially if they store sensitive enterprise data in Google Docs.

The Google Docs phishing attack abused OAuth to give the attackers full access to users' Gmail accounts and contacts. The attackers apparently posed as a legitimate third party and were granted access to Google's OAuth APIs. This enabled them to generate legitimate OAuth tokens for the fake Google Docs app.

The phishing attack looked like a legitimate request to grant access for an application named Google Docs to the target users' accounts, which then set up an OAuth token to access the users' accounts from the malicious application. Google responded to the incident quickly by disabling the attackers' accounts and revoking their access to the compromised accounts; the company also pledged to update policies and enforcement for third-party usage of OAuth APIs.

Enterprises that want to proactively evaluate the security of cloud applications or accounts can script tools using Google APIs to check what third-party applications, integrations or other accounts have access to a specific account. Minimally, Google Security Account Checkup could be used to secure accounts. Cloud access security broker tools can also automate many of these checks and more to address cloud security. 

Next Steps

Find out how insecure OAuth implementations can threaten mobile app users

Learn how a malicious app slipped by Google Play app store security

Read how the Pokemon GO app was issued a full access OAuth token

This was last published in October 2017

Dig Deeper on Identity and access management