Don’t trust OAuth: Why the “Google Docs” worm was so convincing

An evil phishing worm masquerading as "Google Docs" took the internet by storm today. An e-mail from a friend or relative claims they shared a document with you. Clicking on the "Open in Docs" button asked you to log in to Google, then it popped up a familiar OAuth request asking for some permissions. If you click "Allow," the permissions granted it full control over your e-mail and access to all your contacts. The worm then e-mailed everyone in your contacts list, and did god-only-knows what else to the victim’s e-mail.

The interesting thing about this worm was just how convincing it was. The e-mail was great—it used the exact same language as a Google Docs sharing e-mail and the exact same "Open" button. Clicking on the link brought up an authentic Google login page, served up from Google’s servers. Then you were presented a real Google OAuth permissions page, also from Google’s servers. The trick was that the app claiming to be "Google Docs" wasn’t really Google Docs. The screen showed a third-party app with the name "Google Docs" and a profile picture that matched the Google Docs logo.

Read 4 remaining paragraphs | Comments

Source: Risk Assessment – Ars Technica @ May 3, 2017 at 06:21PM

0
Share