In a typical phishing attack, users are tricked into keying in their passwords or other sensitive data on fake websites. However, the recent Google Docs phishing scam used OAuth, meaning that users didn’t have to enter any information to give the bad guys access to their email accounts.
What is OAuth?
OAuth is an open authorization standard that allows users to log in to third-party websites using their account with a site such as Google, Facebook, Twitter or Microsoft without disclosing their password for those services to the third-party sites.
Some sites allow you to log in using, for example, your Facebook account. To log in to the site, you are sent to Facebook where you enter your Facebook credentials, if you are not already logged in to Facebook. The third-party site never sees your Facebook password, but Facebook sends a token that lets them know who you are. The third-party site then gives you access. Depending on what permissions you set, you may also choose to give the third-party site access to some of your Facebook data, such as the names of your friends, or allow your Facebook friends to see what you are listening to on Spotify.
What happened in this scam?
OAuth is convenient when you are dealing with legitimate apps and websites, as you do not have to remember and enter a large number of passwords. You can use your credentials for a site such as Google or Facebook to log in to another site without revealing your Google or Facebook credentials to the other site.
In this scam, though, a fake app was created that caused users to believe they were dealing with a Google Docs app. Instead of a legit document, the email link initiated a process to give a phony app masquerading as “Google Docs” access to the user’s Google account. If the user was already logged in to Google, the connection routed that app into an OAuth permissions page asking the user to “Allow” access to the user’s legitimate Google Drive. It appeared authentic to most users, and there was nothing that would alert security software that the page was not legitimate.
Although Google shut the scam down quickly, an estimated one million users were affected. Because Google revoked the permissions granted by the scammy app, users’ information is now safe.
How can users avoid these scams?
Many experts expect that there will be many more of these attacks, and there is currently no automated way to detect a phishing email. You should follow best practices for avoiding phishing attacks of all kinds. Because an attack using OAuth can be especially hard to detect, technology expert Bob Rankin offers the following: “My policy is to avoid OAuth unless I know the party asking to use it is legitimate. I will register the tedious way instead, creating a username and password and providing a throwaway email address if necessary. Under no circumstances would I grant OAuth privileges to any sender of email that I was not expecting, even if it appears to come from a friend or trusted website.”