Enlarge (credit: Sean Gallup / Getty Images)
The "Google Docs" phishing attack that wormed its way through thousands of e-mail inboxes earlier this week exploited a threat that had been flagged earlier by at least three security researchers—one raised issues about the threat as early as October of 2011. In fact, the person or persons behind the attack may have copied the technique from a proof of concept posted by one security researcher to GitHub in February.
The issue may not technically be a vulnerability, but the way Google has implemented its application permissions interface—based on the OAuth 2 standard used by a large number of Web application providers—makes it far too easy to fool unsuspecting targets into giving away access to their cloud, e-mail, storage, and other Google-associated accounts. The websites used in the phishing attack each used domains that mimicked Google's in some way. The sites would call a Google Apps Script that used Google's own authentication system against itself. The malicious Web application (named "Google Docs") was delivered by an HTML e-mail message that looked so much like a genuine Google Docs sharing request that many users just sailed right through the permissions requested without thinking.
Researchers have repeatedly warned Google about this potential social engineering threat, and this shortcoming had already been exploited in malicious e-mails used by an alleged state actor. While Google quickly shut down the malicious application's access to customers' credentials, the threat remains, since all it takes to relaunch a campaign is to configure another application with Google's authentication API.