In May, a phishing promotion took benefit of users of Google Docs. Electronic mails were transmitted having a link to Google Docs that seemed to be an offer to work together on a document. The electronic mails had all the usual naming one would suppose from a genuine request.
Nevertheless, the invitation was not transmitted through Google Docs. It was transmitted through a third-party application that had been titled Google Docs. Ticking the link to receive the request to work in partnership on the document in fact installed a malevolent app.
If a receiver followed the directions in the electronic mail they would allow the app certain authorizations. Doing thus would see the same invitation sent to all of their links.
Although the attacks were restricted to roughly 0.1% of Gmail users, that’s still a substantial number of people – 0.1% is equal to about 1 million users. The attack might have been restricted, but it did induce Google to make several changes to make it much tougher for applications to plug into Google facilities like improving the registration procedure to make it tougher for unknown people to put unknown applications into Google accounts.
The additional modifications that have just been started improve safety further. Users will now be shown with a warning if an app hasn’t been confirmed. They will be provided the alternative to go back to safety, or if they assert on installing the unconfirmed app, they are needed to type ‘continue’ before the application will be connected.
The defenses have been put in place for new applications that are pending confirmation, even though Google will also roll out the extra defenses to existing apps.
Google said, “This fresh notice will additionally assist inventers to test their applications more easily. As users can select to accept the ‘unverified app’ warning, inventers can now check their apps without needing to go via the OAuth customer confirmation procedure first.”
Google says that it has similarly expanded these defenses to Apps Scripts that invite OAuth access to data, stating the same cautioning screens will be shown. Users are further safeguarded with a reminder that they must cautiously consider whether they believe a particular application before they allow OAuth access.
These additional safeguards will help to avoid malevolent apps from being installed and make it tougher for consumer files to be phished by wicked actors.