Google Was Warned About This Week's Mass Phishing Email Attack Six Years Ago (vice.com)

← Back to Stories (view on slashdot.org)

Google Was Warned About This Week's Mass Phishing Email Attack Six Years Ago (vice.com)

Posted by BeauHD on Thursday May 4, 2017 @12:20PM from the come-back-to-haunt dept.

An anonymous reader quotes a report from Motherboard: For almost six years, Google knew about the exact technique that someone used to trick around one million people into giving away access to their Google accounts to hackers on Wednesday. Even more worrisome: other hackers might have known about this technique as well. On October 4, 2011, a researcher speculated in a mailing list that hackers could trick users into giving them access to their accounts by simply posing as a trustworthy app. This attack, the researcher argued in the message, hinges on creating a malicious application and registering it on the OAuth service under a name like "Google," exploiting the trust that users have in the OAuth authorization process. OAuth is a standard that allows users to grant websites or applications access to their online email and social networking accounts, or parts of their accounts, without giving up their passwords. "Imagine someone registers a client application with an OAuth service, let's call it Foobar, and he names his client app 'Google, Inc.'. The Foobar authorization server will engage the user with 'Google, Inc. is requesting permission to do the following,'" Andre DeMarre wrote in the message sent to the Internet Engineering Task Force (IETF), the independent organization responsible for many of the internet's operating standards. "The resource owner might reason, 'I see that I'm legitimately on the https://www.foobar.com/ site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow,'" DeMarre concluded. As it turns out, DeMarre claims he warned Google directly about this vulnerability in 2012, and suggested that Google address it by checking to see ensure the name of any given app matched the URL of the company behind it. In a Hacker News post, DeMarre said he reported this attack vector back then, and got a "modest bounty" for it.

30 of 45 comments (clear)

Min score:

Reason:

Sort:

yay the cloud by Anonymous Coward · 2017-05-04 12:35 · Score: 1

OAuth is a standard that allows users to grant websites or applications access to their online email and social networking accounts, or parts of their accounts
Lesson #1 of computer security: don't aggregate all your data on somebody else's computer.
Lesson #2 of computer security: don't aggregate all your data with all of everybody else's data, especially when also in violation of Lesson #1.
Lesson #3 of computer security: they aren't on your side. (For any arbitrary value of "they", but most especially including companies inducing you to violate Lessons #1 and #2).
"Allow?" Well, if you have to ask... by rmdingler · 2017-05-04 12:41 · Score: 1

Betteridge said it best. Not no, but hell no.

--
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Re:That should make you feel good by Anubis+IV · 2017-05-04 12:45 · Score: 4, Insightful

It's a web app, not a mobile app, and this is a social engineering attack, not a hack, so the device doesn't matter. As such, you can fall prey to this exact scam while using a Mac, a Surface tablet running Windows, or an Android phone with the latest security updates.
Negligence and Liability by Anonymous Coward · 2017-05-04 12:46 · Score: 1

While I agree that there are risks for users storing their data in the cloud, it seems like Google should be liable for damage done by this attack. Google clearly was notified and was aware of the vulnerability, hence the bug bounty paid out. I understand that it's not possible to deliver patches immediately, but there are reasonable standards depending on the scope of the vulnerability. Several years is beyond the length of a reasonable length to fix a security issue that could compromise a user's account that might contain sensitive and confidential data. It sure seems like Google was negligent in their security, and ought to be held responsible for damages caused in the attack. There needs to be a lot more liability when businesses are negligent in implementing reasonable security practices and when they fail to respond to reports of security issues within a reasonable amount of time. The only way for security to become a priority is when failing to practice it causes real financial penalties.
1. Re:Negligence and Liability by Anonymous Coward · 2017-05-04 13:00 · Score: 3, Insightful
  
  While I agree that there are risks for users storing their data in the cloud, it seems like Google should be liable for damage done by this attack. Google clearly was notified and was aware of the vulnerability, hence the bug bounty paid out.
  Even worse, Google allowed a random person to create and distribute an app called "Google Doc". What the fucking fuck?
2. Re:Negligence and Liability by wvmarle · 2017-05-04 15:29 · Score: 3, Insightful
  
  Correct me if I'm wrong here, but Google doesn't have to be involved AT ALL.
  These folk are fishing for credentials, they're pretending to be a trustworthy web site, and pretend they're asking for Google credentials. This whole OAuth request is (can be) faked just as well. Just reject whatever the user inputs, after a few attempts they're likely to give up.
  They could of course involve Google and actually use the given credentials behind the scenes to genuinely log in the user (doesn't look as suspect), all the while storing the credentials for later use. That would potentially make the attack work longer; the moment Google catches up it's on to plan B which is just storing the credentials (usually entered correctly anyway) and then telling the user the authentication failed.
  The apps themselves may be distributed through the Google Play store - greater audience but high risk of being caught out - or through one of a myriad of alternative stores Google has no control over.
3. Re:Negligence and Liability by jenningsthecat · 2017-05-05 00:11 · Score: 2
  
  While I agree that there are risks for users storing their data in the cloud, it seems like Google should be liable for damage done by this attack. Google clearly was notified and was aware of the vulnerability, hence the bug bounty paid out. I understand that it's not possible to deliver patches immediately, but there are reasonable standards depending on the scope of the vulnerability. Several years is beyond the length of a reasonable length to fix a security issue that could compromise a user's account that might contain sensitive and confidential data. It sure seems like Google was negligent in their security, and ought to be held responsible for damages caused in the attack. There needs to be a lot more liability when businesses are negligent in implementing reasonable security practices and when they fail to respond to reports of security issues within a reasonable amount of time. The only way for security to become a priority is when failing to practice it causes real financial penalties.
  Came here to say this, but also to add that perhaps the responsibilities and liabilities are less clear in a legal sense when no money has changed hands, and therefore there may be no express or implied contract between Google and the average user. Some will say the TOS is that contract, and I'd be interested to see how that angle would play out in court, given the spotty history of court cases involving TOS.
  It might be better for someone seeking damages in a case like this to also argue that the information Google collects from users has substantial value, and therefore represents a payment. That would automatically suggest that an implied contract exists. Personally, I'd love that; assigning a monetary value to personal information could open up all kinds of interesting legal possibilities when it comes to adequate recompense for allowing one's personal data to be harvested. It could also establish that, at least in some cases, collecting personal data is theft and therefore a felony. The corporations that govern our societies probably won't let that happen, but it's nice to dream...
  
  --
  'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
How is this Google's fault again? by Obfuscant · 2017-05-04 13:10 · Score: 1

'I see that I'm legitimately on the https://www.foobar.com/ site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow,'"

Let's see. You're on the attacker's website and you trust it (apparently because it has https in the URL), and you trust Google, so you allow the attacker free access to your google account. How is this Google's fault again? I mean, you give access to your account to people you shouldn't and it's someone else's fault?
1. Re:How is this Google's fault again? by sims+2 · 2017-05-04 13:30 · Score: 1
  
  Would this require me to be logged in to google for this to work?
  
  --
  Minimum threshold fixed. Thanks!
2. Re:How is this Google's fault again? by Anonymous Coward · 2017-05-04 14:01 · Score: 5, Informative
  
  That's not exactly what happened in the latest attack. The email contained a link to a real OAuth page hosted on the real, properly secured, accounts.google.com, and requested permissions for a malicious app called "Google Docs". If given permission, the app would have full access to much of the contents of the google account including emails (not login credentials, though).
  Google's main fault in this situation is that they should never allow app names to impersonate real Google features, like Docs. The OAuth page should also make it clear when it's an untrusted third party requesting the access.
3. Re:How is this Google's fault again? by aix+tom · 2017-05-04 21:53 · Score: 1
  
  The OAuth page should also make it clear when it's an untrusted third party requesting the access.
  So how is Google going to know which parties you are trusting, and which parties you are not trusting? Their magic 8 ball?
  There are basically only two options:
  - YOU Decide who to trust or not to trust
  - Google deciding it FOR you.
  In my opinion, Option one is the lesser of two evils.
4. Re:How is this Google's fault again? by thewolfkin · 2017-05-05 06:43 · Score: 1
  
  'I see that I'm legitimately on the https://www.foobar.com/ site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow,'"
  Let's see. You're on the attacker's website and you trust it (apparently because it has https in the URL), and you trust Google, so you allow the attacker free access to your google account. How is this Google's fault again? I mean, you give access to your account to people you shouldn't and it's someone else's fault?
  The mistake here is Google wants permission. That's not what's happening. It's Foobar asking for permission by pretending to be google. So while you would trust Google to give you access to foobar without giving Foobar too much info. You don't trust Foobar directly. So youclick Allow on Google but you're actually clicking on Foobar.
  
  --
  Just another second banana
"Google, Inc." by n329619 · 2017-05-04 13:11 · Score: 2

Up next, new app scam named "Goggle, Inc.". Another 1 million people clicked on it.
1. Re:"Google, Inc." by Nidi62 · 2017-05-05 00:03 · Score: 1
  
  Up next, new app scam named "Goggle, Inc.". Another 1 million people clicked on it.
  Don't for get the other common scam trick, calling it "Google, lnc" (pronouced like "link")
  
  --
  The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
How is this not incredibly obvious? by cshark · 2017-05-04 15:24 · Score: 1

Honestly, it's the first thought that popped into my head when they changed the way the permissions interface for Oauth worked about 8ish years ago. Don't know if there's much, if anything you can do about it though, other than ban the app on a case by case basis, or put some kind of filter in place that remembers the name of every trademark holder. But even then, there'll still be bad guys that manage to get through it.

--
This signature has Super Cow Powers
Another reason to avoid any such generic login by wvmarle · 2017-05-04 15:36 · Score: 2

The attack sounds quite obvious, thinking about it. Just fake the whole thing, and store the credentials in the process.
It's for me just another reason to avoid Google, Facebook, LinkedIn, or whatever login you can find on various web sites. I'd rather create a new account with unique password. Without direct link to any other web site, without giving them a chance to access to any of my info on the other web sites, without allowing Google and Facebook yet another vector of tracking me (why else are they offering that service?).
Someone using their Google credentials to log in to just about anything, has a big problem were there Google account to be compromised. All those sites suddenly become accessible. It maybe takes a bit of guesswork and luck from the attacker, but they already have the credentials. That's just no fun.
Admittedly the same could happen if my LastPass master password is compromised, but the chance of that is less as I know when to expect to have to enter it. It's a whole lot harder for any software to fake this. I bet it's not impossible, just much harder than setting up a genuine looking web site or app and asking me for it.
1. Re:Another reason to avoid any such generic login by El_Muerte_TDS · 2017-05-04 18:10 · Score: 1
  
  That's not true. You authenticate via Google, Facebook, LinkedIn, or whatever, and possibly give access to data in that account to the website you log in to. But that website has no access to any other site you logging in to with that Google, Facebook, LinkedIn, or whatever account. You only (partially) compromise your Google, Facebook, LinkedIn, or whatever account. The sites you log in to also have zero knowledge about your credentials,
  The big reason why you do not want to use Google, Facebook, LinkedIn, or whatever to log into every other site is that Google, Facebook, LinkedIn, or whatever will know even more about you. And you are probably giving away a lot of information from your Google, Facebook, LinkedIn, or whatever account to the site you log into.
  But you also need to use uBlock and Ghostery to block all those webbugs placed everywhere for Google, Facebook, LinkedIn, or whatever.
2. Re:Another reason to avoid any such generic login by wvmarle · 2017-05-04 18:35 · Score: 1
  
  That's not true. You authenticate via Google, Facebook, LinkedIn, or whatever, and possibly give access to data in that account to the website you log in to. But that website has no access to any other site you logging in to with that Google, Facebook, LinkedIn, or whatever account. You only (partially) compromise your Google, Facebook, LinkedIn, or whatever account. The sites you log in to also have zero knowledge about your credentials,
  That's what I'd hope for. But how can you be sure that this login page where you enter your credentials is actually served by Google/Facebook/etc? It's easy enough to fake this part, and for the web site to perform a MiM attack on your credentials. That's what these apps are apparently doing.
  
  But you also need to use uBlock and Ghostery to block all those webbugs placed everywhere for Google, Facebook, LinkedIn, or whatever.
  I haven't gone that far. I got a cookie self-destruct extension and ABP. Should help a lot - at least no more stray Facebook cookies they may track when I logged off (even though they claim they don't, rather make sure they can't). They'll have to try and profile my browser to know it's me - could be possible, still. Of course my IP is also not that random, it's dynamic and does change occasionally, every day or so.
3. Re:Another reason to avoid any such generic login by ckatko · 2017-05-05 01:40 · Score: 1
  
  You don't want to, but everyone else does. People want to spend time doing work, not putting in 60 different usernames and passwords for each of the 60 websites they visit.
  Ideally, people could run password managers on their PC's (optionally mirrored and encrypted in "the Cloud") that use a standardized web interface to talk to websites so you only remember your one manager password. But that requires a lot of different people working together to make that "the standard."
4. Re:Another reason to avoid any such generic login by wvmarle · 2017-05-05 01:56 · Score: 1
  
  Ideally, people could run password managers on their PC's (optionally mirrored and encrypted in "the Cloud") that use a standardized web interface to talk to websites so you only remember your one manager password. But that requires a lot of different people working together to make that "the standard."
  Ever heard of LastPass? That is doing exactly as you describe. Encrypted, mirrored in "the cloud", available from any device, autofill passwords, autologin most sites (so even easier than using a Facebook or Google login - especially as I'm not always logged in to those sites), can create and autofill random passwords for you, etc. There are more such password managers; no need for a worldwide standard to be able to use them conveniently. Having fields called "username" and "password" or so will do the job for the autofill.
  Added bonus: it will log you in to google.com but not go0gle.com or so. With UTF-8 domain names there are lots of letter lookalikes, which easily fool a human but not a computer.
5. Re: Another reason to avoid any such generic login by Brockmire · 2017-05-05 15:27 · Score: 1
  
  You look for the green lock on the https certificate to verify you're really on Google or Facebook's login pages. That isn't easily faked.
PBKAC error by fullphaser · 2017-05-04 23:12 · Score: 1

I'm sorry but.... there is nothing special about this attack. They named their service google docs in Oauth and that's about the extent of things. I apologize that despite 20 years of warnings about phishing and reading shit users are still dumb as hell and click anything on their screen. At some point we need to admit to ourselves that no amount of security is going to stop a stupid user

--
Did someone say cake?
Re: Not Google's fault by sproketboy · 2017-05-04 23:39 · Score: 1

The only thing under Trump's watch is maybe a mole and tiny hands.
Re: That should make you feel good by Anubis+IV · 2017-05-05 01:09 · Score: 1

I wasn't talking about Gmail. I was talking about the rogue app.
Re:That should make you feel good by ckatko · 2017-05-05 01:35 · Score: 1

Are you surprised an ifanboy wouldn't understand the issue?
Ya right by AndyKron · 2017-05-05 02:24 · Score: 1

So "do no evil" really fucked up this time.
1. Re: Ya right by Brockmire · 2017-05-05 15:35 · Score: 1
  
  If your definition of evil is protecting users as soon as an active exploit is discovered, then you're probably living in hell.
Re:That should make you feel good by Anubis+IV · 2017-05-05 02:41 · Score: 1

Are you surprised an ifanboy wouldn't understand the issue?
Why does it matter what platform he prefers? Does his choice offend you? Harm you? Threaten you?
Stick to the facts, correct his misconceptions, and move along. You'll find that the quality of your life improves significantly when you stop getting worked up about the preferences of others.
Re: never by Brockmire · 2017-05-05 15:32 · Score: 1

They didn't fix the problem, they just blocked this shit from their system. This may very well still be possible with some changes, like Google Sheets instead of Docs.
Re: Another reason to avoid any such generic logi by wvmarle · 2017-05-05 16:38 · Score: 1

What stops this would be attacker from obtaining a certificate for whatever phishing domain they register?
This green lock is no guarantee you are on the site you think you are. You'll have to open it and check the certificate details. Too much work for what I'd estimate at about 99.99% of the average computer users.