Google Was Warned About This Week's Mass Phishing Email Attack Six Years Ago

An anonymous reader quotes a report from Motherboard: For almost six years, Google knew about the exact technique that someone used to trick around one million people into giving away access to their Google accounts to hackers on Wednesday. Even more worrisome: other hackers might have known about this technique as well. On October 4, 2011, a researcher speculated in a mailing list that hackers could trick users into giving them access to their accounts by simply posing as a trustworthy app. This attack, the researcher argued in the message, hinges on creating a malicious application and registering it on the OAuth service under a name like "Google," exploiting the trust that users have in the OAuth authorization process. OAuth is a standard that allows users to grant websites or applications access to their online email and social networking accounts, or parts of their accounts, without giving up their passwords. "Imagine someone registers a client application with an OAuth service, let's call it Foobar, and he names his client app 'Google, Inc.'. The Foobar authorization server will engage the user with 'Google, Inc. is requesting permission to do the following,'" Andre DeMarre wrote in the message sent to the Internet Engineering Task Force (IETF), the independent organization responsible for many of the internet's operating standards. "The resource owner might reason, 'I see that I'm legitimately on the https://www.foobar.com/ site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow,'" DeMarre concluded. As it turns out, DeMarre claims he warned Google directly about this vulnerability in 2012, and suggested that Google address it by checking to see ensure the name of any given app matched the URL of the company behind it. In a Hacker News post, DeMarre said he reported this attack vector back then, and got a "modest bounty" for it.

Re:That should make you feel good

[Anubis+IV]

It's a web app, not a mobile app, and this is a social engineering attack, not a hack, so the device doesn't matter. As such, you can fall prey to this exact scam while using a Mac, a Surface tablet running Windows, or an Android phone with the latest security updates.

Re:Negligence and Liability

While I agree that there are risks for users storing their data in the cloud, it seems like Google should be liable for damage done by this attack. Google clearly was notified and was aware of the vulnerability, hence the bug bounty paid out.

Even worse, Google allowed a random person to create and distribute an app called "Google Doc". What the fucking fuck?

Re:Negligence and Liability

[wvmarle]

Correct me if I'm wrong here, but Google doesn't have to be involved AT ALL.

These folk are fishing for credentials, they're pretending to be a trustworthy web site, and pretend they're asking for Google credentials. This whole OAuth request is (can be) faked just as well. Just reject whatever the user inputs, after a few attempts they're likely to give up.

They could of course involve Google and actually use the given credentials behind the scenes to genuinely log in the user (doesn't look as suspect), all the while storing the credentials for later use. That would potentially make the attack work longer; the moment Google catches up it's on to plan B which is just storing the credentials (usually entered correctly anyway) and then telling the user the authentication failed.

The apps themselves may be distributed through the Google Play store - greater audience but high risk of being caught out - or through one of a myriad of alternative stores Google has no control over.