Google Was Warned About This Week's Mass Phishing Email Attack Six Years Ago

An anonymous reader quotes a report from Motherboard: For almost six years, Google knew about the exact technique that someone used to trick around one million people into giving away access to their Google accounts to hackers on Wednesday. Even more worrisome: other hackers might have known about this technique as well. On October 4, 2011, a researcher speculated in a mailing list that hackers could trick users into giving them access to their accounts by simply posing as a trustworthy app. This attack, the researcher argued in the message, hinges on creating a malicious application and registering it on the OAuth service under a name like "Google," exploiting the trust that users have in the OAuth authorization process. OAuth is a standard that allows users to grant websites or applications access to their online email and social networking accounts, or parts of their accounts, without giving up their passwords. "Imagine someone registers a client application with an OAuth service, let's call it Foobar, and he names his client app 'Google, Inc.'. The Foobar authorization server will engage the user with 'Google, Inc. is requesting permission to do the following,'" Andre DeMarre wrote in the message sent to the Internet Engineering Task Force (IETF), the independent organization responsible for many of the internet's operating standards. "The resource owner might reason, 'I see that I'm legitimately on the https://www.foobar.com/ site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow,'" DeMarre concluded. As it turns out, DeMarre claims he warned Google directly about this vulnerability in 2012, and suggested that Google address it by checking to see ensure the name of any given app matched the URL of the company behind it. In a Hacker News post, DeMarre said he reported this attack vector back then, and got a "modest bounty" for it.

Re:That should make you feel good

[Anubis+IV]

It's a web app, not a mobile app, and this is a social engineering attack, not a hack, so the device doesn't matter. As such, you can fall prey to this exact scam while using a Mac, a Surface tablet running Windows, or an Android phone with the latest security updates.

Re:Negligence and Liability

While I agree that there are risks for users storing their data in the cloud, it seems like Google should be liable for damage done by this attack. Google clearly was notified and was aware of the vulnerability, hence the bug bounty paid out.

Even worse, Google allowed a random person to create and distribute an app called "Google Doc". What the fucking fuck?

"Google, Inc."

[n329619]

Up next, new app scam named "Goggle, Inc.". Another 1 million people clicked on it.

Re:How is this Google's fault again?

That's not exactly what happened in the latest attack. The email contained a link to a real OAuth page hosted on the real, properly secured, accounts.google.com, and requested permissions for a malicious app called "Google Docs". If given permission, the app would have full access to much of the contents of the google account including emails (not login credentials, though).

Google's main fault in this situation is that they should never allow app names to impersonate real Google features, like Docs. The OAuth page should also make it clear when it's an untrusted third party requesting the access.

Re:Negligence and Liability

[wvmarle]

Correct me if I'm wrong here, but Google doesn't have to be involved AT ALL.

These folk are fishing for credentials, they're pretending to be a trustworthy web site, and pretend they're asking for Google credentials. This whole OAuth request is (can be) faked just as well. Just reject whatever the user inputs, after a few attempts they're likely to give up.

They could of course involve Google and actually use the given credentials behind the scenes to genuinely log in the user (doesn't look as suspect), all the while storing the credentials for later use. That would potentially make the attack work longer; the moment Google catches up it's on to plan B which is just storing the credentials (usually entered correctly anyway) and then telling the user the authentication failed.

The apps themselves may be distributed through the Google Play store - greater audience but high risk of being caught out - or through one of a myriad of alternative stores Google has no control over.

Another reason to avoid any such generic login

[wvmarle]

The attack sounds quite obvious, thinking about it. Just fake the whole thing, and store the credentials in the process.

It's for me just another reason to avoid Google, Facebook, LinkedIn, or whatever login you can find on various web sites. I'd rather create a new account with unique password. Without direct link to any other web site, without giving them a chance to access to any of my info on the other web sites, without allowing Google and Facebook yet another vector of tracking me (why else are they offering that service?).

Someone using their Google credentials to log in to just about anything, has a big problem were there Google account to be compromised. All those sites suddenly become accessible. It maybe takes a bit of guesswork and luck from the attacker, but they already have the credentials. That's just no fun.

Admittedly the same could happen if my LastPass master password is compromised, but the chance of that is less as I know when to expect to have to enter it. It's a whole lot harder for any software to fake this. I bet it's not impossible, just much harder than setting up a genuine looking web site or app and asking me for it.

Re:Negligence and Liability

[jenningsthecat]

While I agree that there are risks for users storing their data in the cloud, it seems like Google should be liable for damage done by this attack. Google clearly was notified and was aware of the vulnerability, hence the bug bounty paid out. I understand that it's not possible to deliver patches immediately, but there are reasonable standards depending on the scope of the vulnerability. Several years is beyond the length of a reasonable length to fix a security issue that could compromise a user's account that might contain sensitive and confidential data. It sure seems like Google was negligent in their security, and ought to be held responsible for damages caused in the attack. There needs to be a lot more liability when businesses are negligent in implementing reasonable security practices and when they fail to respond to reports of security issues within a reasonable amount of time. The only way for security to become a priority is when failing to practice it causes real financial penalties.

Came here to say this, but also to add that perhaps the responsibilities and liabilities are less clear in a legal sense when no money has changed hands, and therefore there may be no express or implied contract between Google and the average user. Some will say the TOS is that contract, and I'd be interested to see how that angle would play out in court, given the spotty history of court cases involving TOS.

It might be better for someone seeking damages in a case like this to also argue that the information Google collects from users has substantial value, and therefore represents a payment. That would automatically suggest that an implied contract exists. Personally, I'd love that; assigning a monetary value to personal information could open up all kinds of interesting legal possibilities when it comes to adequate recompense for allowing one's personal data to be harvested. It could also establish that, at least in some cases, collecting personal data is theft and therefore a felony. The corporations that govern our societies probably won't let that happen, but it's nice to dream...