Slashdot Mirror
Google Was Warned About This Week's Mass Phishing Email Attack Six Years Ago (vice.com)
An anonymous reader quotes a report from Motherboard: For almost six years, Google knew about the exact technique that someone used to trick around one million people into giving away access to their Google accounts to hackers on Wednesday. Even more worrisome: other hackers might have known about this technique as well. On October 4, 2011, a researcher speculated in a mailing list that hackers could trick users into giving them access to their accounts by simply posing as a trustworthy app. This attack, the researcher argued in the message, hinges on creating a malicious application and registering it on the OAuth service under a name like "Google," exploiting the trust that users have in the OAuth authorization process. OAuth is a standard that allows users to grant websites or applications access to their online email and social networking accounts, or parts of their accounts, without giving up their passwords. "Imagine someone registers a client application with an OAuth service, let's call it Foobar, and he names his client app 'Google, Inc.'. The Foobar authorization server will engage the user with 'Google, Inc. is requesting permission to do the following,'" Andre DeMarre wrote in the message sent to the Internet Engineering Task Force (IETF), the independent organization responsible for many of the internet's operating standards. "The resource owner might reason, 'I see that I'm legitimately on the https://www.foobar.com/ site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow,'" DeMarre concluded. As it turns out, DeMarre claims he warned Google directly about this vulnerability in 2012, and suggested that Google address it by checking to see ensure the name of any given app matched the URL of the company behind it. In a Hacker News post, DeMarre said he reported this attack vector back then, and got a "modest bounty" for it.
OAuth is a standard that allows users to grant websites or applications access to their online email and social networking accounts, or parts of their accounts
Lesson #1 of computer security: don't aggregate all your data on somebody else's computer.
Lesson #2 of computer security: don't aggregate all your data with all of everybody else's data, especially when also in violation of Lesson #1.
Lesson #3 of computer security: they aren't on your side. (For any arbitrary value of "they", but most especially including companies inducing you to violate Lessons #1 and #2).
About using Android.
Betteridge said it best. Not no, but hell no.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
While I agree that there are risks for users storing their data in the cloud, it seems like Google should be liable for damage done by this attack. Google clearly was notified and was aware of the vulnerability, hence the bug bounty paid out. I understand that it's not possible to deliver patches immediately, but there are reasonable standards depending on the scope of the vulnerability. Several years is beyond the length of a reasonable length to fix a security issue that could compromise a user's account that might contain sensitive and confidential data. It sure seems like Google was negligent in their security, and ought to be held responsible for damages caused in the attack. There needs to be a lot more liability when businesses are negligent in implementing reasonable security practices and when they fail to respond to reports of security issues within a reasonable amount of time. The only way for security to become a priority is when failing to practice it causes real financial penalties.
It's an APP app, because only apps can app apps!
Apps!
'I see that I'm legitimately on the https://www.foobar.com/ site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow,'"
Let's see. You're on the attacker's website and you trust it (apparently because it has https in the URL), and you trust Google, so you allow the attacker free access to your google account. How is this Google's fault again? I mean, you give access to your account to people you shouldn't and it's someone else's fault?
Up next, new app scam named "Goggle, Inc.". Another 1 million people clicked on it.
Your post is not helpful at all. In principle, OAuth is actually a really good idea, because it's a substitute for providing your username and password to a third party and giving them full access to my account. Clearly the implementation has some issues, but it's superior to the alternative. Let's say that I have a third party calendar app that extends functionality beyond what's in Google's calendar app, but wants to be interoperable with Google's calendar system. It's completely reasonable for that app to request access to those parts of my account, and I shouldn't expect the app to function as expected if I decline. The problem is in the implementation, not in the principle. Your statement is absurd, and I can provide plenty of examples of why.
Let's say I have a map application that can be used to allow me to look up a road map anywhere in the world, but can also provide GPS navigation. My location is private information, so I have every reason to want to restrict how that information is shared. The app doesn't need to know my position until I need it to locate me and provide navigation services, so it doesn't receive that data when I'm simply browsing around. However, when I need it for GPS navigation, it then expressly requests permission to access my GPS location. This is completely reasonable, because that information is required for navigation to function. It also respects my privacy in not acquiring that information when I'm not using it for navigation. Why shouldn't the app need to ask for my permission, and why would a user expect it to provide this very reasonable and useful functionality without that information?
Or let's say I'm installing a proprietary video driver in Linux to fully support my hardware. I shouldn't run as root, but it's completely reasonable that the installer would need some superuser access to install the driver. It's common for the installer to be run from an ordinary user account but to request superuser permissions (in this case, for me to type my root password) to do the portions of the installation that require such access. Why shouldn't the software need to ask for my permission, and why would a user expect it to run properly without providing that access?
By your reasoning, you would decline the request for permissions in both cases, when they are both totally reasonable. The problem is not that the app is asking for permission. It's actually better that an app begins with limited permissions and then explicitly requests additional permissions only when they are actually necessary. The problem is that, in this case, the framework for apps to get those permissions, OAuth, is poorly implemented and lacking in security. Sorry, but your post is completely unhelpful.
is that it's so blindingly obvious that you'd never seriously consider trying it
Honestly, it's the first thought that popped into my head when they changed the way the permissions interface for Oauth worked about 8ish years ago. Don't know if there's much, if anything you can do about it though, other than ban the app on a case by case basis, or put some kind of filter in place that remembers the name of every trademark holder. But even then, there'll still be bad guys that manage to get through it.
This signature has Super Cow Powers
The attack sounds quite obvious, thinking about it. Just fake the whole thing, and store the credentials in the process.
It's for me just another reason to avoid Google, Facebook, LinkedIn, or whatever login you can find on various web sites. I'd rather create a new account with unique password. Without direct link to any other web site, without giving them a chance to access to any of my info on the other web sites, without allowing Google and Facebook yet another vector of tracking me (why else are they offering that service?).
Someone using their Google credentials to log in to just about anything, has a big problem were there Google account to be compromised. All those sites suddenly become accessible. It maybe takes a bit of guesswork and luck from the attacker, but they already have the credentials. That's just no fun.
Admittedly the same could happen if my LastPass master password is compromised, but the chance of that is less as I know when to expect to have to enter it. It's a whole lot harder for any software to fake this. I bet it's not impossible, just much harder than setting up a genuine looking web site or app and asking me for it.
This "attack" was so obvious I didn't even consider it a serious attempt until multiple people started getting it.
The mail was sent with the From as one of your contacts' plain e-mail addresses (it didn't even have the full name of the user which Gmail contacts usually have) and To as hhhhhh@mailinator.com
The thing then said this person shared a document, not even an official Google logo, image or disclosure with a link to "Open in Docs". If then took you to a site that asked whether you wanted to give a "Google Docs" website with the wrong logo access to your Contacts.
The "attacker" didn't even attempt to obfuscate this at any point. If anyone fell for this, they deserve to have their computers and internet access taken from them.
Custom electronics and digital signage for your business: www.evcircuits.com
This happened under Trump's watch
What,Google knowing about a massive hole in their products for years and not do anything about it,now who would believe it !!!
Amazing how fast they can roll out more crap apps or hardwarevif they think there is a chance of it making a few more dollars or how fast they kill stuff if it's not making any or enough money,but don't ever seem to be able to do anything about security unless it looks like it might cost them money if they don't..
5 years of doing bugger all,but then they can suddenly fix the problem in less than a day !!!
HAhahahahahah!
I'm sorry but.... there is nothing special about this attack. They named their service google docs in Oauth and that's about the extent of things. I apologize that despite 20 years of warnings about phishing and reading shit users are still dumb as hell and click anything on their screen. At some point we need to admit to ourselves that no amount of security is going to stop a stupid user
Did someone say cake?
The only thing under Trump's watch is maybe a mole and tiny hands.
Timing is everything! You have to do things when they need to be done, not early or late. Early or late may as well be the same thing in this case.
If a probe fires it's retro rocket 6 years early, we don't consider that to be a good thing, it's just as much of a failure as firing them late or not firing at all, in the scope of accomplishing your goal.
The better way to look at this is that Google had 6 years to patch and improve their system to make these types of vulnerabilities less possible and instead, as usual, they just did the minimal amount they needed to keep the data mining revenue rolling in, since that's really all the company is. They only provide you free services in order to mine your private data. They aren't in the business of making great apps or services, just good enough ones to get clicks and subscribers.
Everything they do is done half ass and without pushing any kind of envelope of features or usability. They like to call it a minimalist approach, I call it lazy and disloyal to it's users. Google Music apps are a joke, Gmail is not impressive unless you travel back to 1995. Google Doc is pretty horrible and hasn't improved significant for years. Google Voice is half baked. Their entire Android platform was just kind of throw out there to see what happened and now they are paying the price for that. Their interfaces generally suck (they LOVE putting one set of options all the way at the top left corner and then other set all the way at the top right corner, which is just stupid. The old boring top file menus still make a lot more sense and real touchscreen computing is just not happening. Beyond phones, touchscreen computing is a gimmick and generally just slows people down. Touchpads have more real use than touchscreens as far as productivity goes and even they offer few advantages of mice. Google does get a lot of apps to market, but they have to really because the play store is more like a malware store than anything I can trust, and it's been that way for a lot longer than 6 years.
Chrome is probably their best app.
Google starts far too many projects and finishes like none of them, they are the ADD kid of the tech companies. For the level of trust they are getting from people, they should be doing far better. They are overly concerned with profits instead of quality and that strategy will undermine their brand as computing and internet work through their trends and hardware stabalizing.. just as we saw with desktop computing. You can see all the cheap phones that are perfectly capable these days, Moto G4 line and Android One is coming to America. That means the smartphone boom is just about dead, the hardware cost and feature set has stabilized and they aren't coming up with useful features that people need. The entire smartphone market is going to deflate just like desktop computing did and people will keep phones much longer since they are fast, have good battery and the new OS releases offer little to no compelling features.
VR is not going to save desktop or mobile computing, there is nothing on the horizon that's compelling right now. Other than a fingerprint scanner most new features are just gimmicks, including Google and Apple Pay, which are at best mildly convenient but just about entirely unnecessary and vastly more complex and less supported than credit cards, as well as another potential security hole. Fingerprint scanner is just a fast way to unlock the phone, the security part of it is just silly, but still fast unlock is actually useful.
So "do no evil" really fucked up this time.
What stops this would be attacker from obtaining a certificate for whatever phishing domain they register?
This green lock is no guarantee you are on the site you think you are. You'll have to open it and check the certificate details. Too much work for what I'd estimate at about 99.99% of the average computer users.