Maksim Kabakou - Fotolia
A Google Docs phishing attack that abused OAuth tokens gave attackers full access to users' Gmail accounts and contacts. Google shut down the attack within an hour of learning of it, disabling the attackers' email accounts and putting other protections in place. How did the attackers exploit OAuth in order to gain access to victims' Gmail accounts?
Google touts the security of its infrastructure, and it does a very good job of securing that infrastructure. That secure infrastructure means Google and its customers only need to address application security, which can make life significantly easier for developers. This still leaves application layer security to the developers, and potentially even the users.
In the recent Google Docs phishing attack, Google's secure infrastructure was bypassed to compromise a significant number of user accounts. The attack was carried out by an app called Google Docs in an attempt to fool users into believing it was legitimately offered by Google; as many as 1 million Gmail users may have been affected by the campaign.
The impact on consumer accounts was not trivial, but for enterprises that use Google Docs, this could have been a much more significant event, especially if they store sensitive enterprise data in Google Docs.
The Google Docs phishing attack abused OAuth to give the attackers full access to users' Gmail accounts and contacts. The attackers apparently posed as a legitimate third party and were granted access to Google's OAuth APIs. This enabled them to generate legitimate OAuth tokens for the fake Google Docs app.
The phishing attack looked like a legitimate request to grant access for an application named Google Docs to the target users' accounts, which then set up an OAuth token to access the users' accounts from the malicious application. Google responded to the incident quickly by disabling the attackers' accounts and revoking their access to the compromised accounts; the company also pledged to update policies and enforcement for third-party usage of OAuth APIs.
Enterprises that want to proactively evaluate the security of cloud applications or accounts can script tools using Google APIs to check what third-party applications, integrations or other accounts have access to a specific account. Minimally, Google Security Account Checkup could be used to secure accounts. Cloud access security broker tools can also automate many of these checks and more to address cloud security.
Find out how insecure OAuth implementations can threaten mobile app users
Learn how a malicious app slipped by Google Play app store security
Read how the Pokemon GO app was issued a full access OAuth token
Dig Deeper on Identity and access management
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading