A clever email phishing attack on Google Docs spread like wildfire across the internet on Wednesday afternoon. But this was no standard phishing attack — so don’t feel bad if you were fooled.
If someone invites you to edit a file in Google Docs today, don’t open it — it may be spam from a phishing scheme that’s been spreading quickly this afternoon. As detailed on Reddit, the attack sends targets an emailed invitation from someone they may know, takes them to a real Google sign-in screen, then asks them to “continue to Google Docs.” But this grants permissions to a (malicious) third-party web app that’s simply been named “Google Docs,” which gives phishers access to your email and address book.
The key difference between this and a very simple email phishing scheme is that this doesn’t just take you to a bogus Google page and collect your password — something you could detect by checking the page URL. It works within Google’s system but takes advantage of the fact that you can create a non-Google web app with a misleading name. Here’s what the permissions screen looks like, for example:
A real OAuth permissions page, also from Google’s servers.
Either way, Google has solved this problem and is now reconstructing its systems to prevent developers from exploiting its authentication systems to spoof Google’s own products and services. What we still don’t know is just how sophisticated this attack was. The attackers were able to automate contact collection to spread the attack, and the fake web app also requested access to read, send, delete, and manage Gmail accounts.
In a statement issued late Wednesday night, Google assured Gmail users that, beyond contact info, no other sensitive data was gleaned from the attack and no further action is necessary to protect accounts:
We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.