On Wednesday the 3rd May 2017 a Phishing campaign propagated across the internet affecting Google users. It was like nothing we’ve seen in recent years.
Now the issue has been resolved and the risk mitigated it’s time for some reflection. I’m sure you will be aware of how the Google Docs phishing campaign spread, users were tricked by authorising a malicious script that pilfered data and emailed other people in your address book, a little like a worm.
Google’s response was sharp, impactful and correct in every way possible. They shared knowledge of the campaign to users via banners on their services, they destroyed the campaign of the phishers. I’d like to imagine at one point it was a team of advanced hackers vs the whole Google security development team battling it out… but the truth is we are unlikely to see a wild west style fight of good and evil because Google do so much already to secure us online it was probably as undramatic as a quick call to their safebrowsing team.
But Google did know this could happen.
What I found worrying has Google ignored this issue not once but several times before. They had full prior responsible disclosure of the event and took the decision not to act. Quoting Google:
The team will take this suggestion (app auth issues) into consideration, but per our discussion with them, this is currently working as designed and is not a technical vulnerability.
So Google we’re not only aware of the issue that was reported 3 years ago under their own bug bounty scheme, but then debated the attack and concluded that the authentication mechanism used for connecting Google scripts was as designed…
With the internet giants we all use and trust today we have this trust whilst using their services that their sheer scale and ability in this sector would reduce the chances of them making this kind of arrogant error. Surely they have a backend check for malicious use? Scan for scripts impersonating Google? But what if the developers understood and debated this serious issue you’d assume that a plan b was in place. It seems not.
Somewhere in the learning curve, nearly a million people were affected by this issue. It’s likely a large proportion of these people had their data whisked from their accounts before the alert was raised.
The likely fix for Google is likely to be:
Maybe some kind of reputation system of the script a user is authorising.
So if I make a script today and send it to another Google user they should be presented with glaring warnings, red screens, restricted API choices and banners explaining this issue. If Google makes a script or a reputable vendor does so then these can be validated. In essence, it’s bringing what they already do for Chrome extensions and Google Play apps already.
Edit: Since this blog post was published a user on Reddit /U/TylzaeL shared a link for an old notice board warning of the same attack – dated October 2011
It goes to show several people showed concern for the attack vector prior to the phishing campaign.
Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer Limited, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.