Gmail Hacked? Not Exactly
Google sent out a tweet yesterday saying that millions of its users have been tricked by a phishing email campaign into giving a third-party app access to the user’s Google data.
The phishing campaign is spread using a screen that looks like a request to share a Google document, like shown below:
NBC news said this was a vulnerability: “The vulnerability was exposed for only about one hour, and a spokesperson told NBC News on Wednesday night.” But it’s probably not. This is how OAuth is supposed to work.
OAuth is a way of letting people sign into 3rd party apps using their Facebook, Google, LinkedIn, or Twitter accounts.
Normally that is made clear when the 3rd party app pops up its screen. But in this attack the app was made to look like the Google Doc sharing email.
You can see yourself to which apps you have given access to your Google data when you run the security checkup. Click on the details of each one and see just what kind of access you have given. As you can see below, I have given, for example. Despegar travel website access to Google+ and Basic Account info. Only Google Chrome has Full Access.
Google lets websites use OAuth 2.0 as a login mechanism. That means Google passes the website a token to authenticate the user. So the user does not have to sign up for a web site, which they will usually find annoying, but can instead rely on their existing social media sites.
But the token does not identity the user. The token lets the 3rd party app use the Google API to look up basic information on the user, like their email address. Because at a minimum the app would need that to identify who is logging in.
You can play around with this process online with Google’s sandbox tool and pretend to give different 3rd party apps access to parts of your Google account.
Here is a code example from Google. This requests access to Google Drive metadata.
One of the parameters is scope. The full list of scopes is listed on Google’s API documentation site here. These range all the way from AdSense, to let a user get access to their own Adsense data, to the GMail API, which would let a 3rd party app actually send emails on the Gmail user’s account and changed settings. That is the dangerous one is probably how the hackers using this phishing campaign spread itself to the contacts found in the victim’s list.
It’s not clear why Google would let another app beside Gmail send Gmail. Google gives these use cases:
- Read-only mail extraction, indexing, and backup
- Label management (add/remove labels)
- Automated or programmatic message sending
- Migrating email accounts from other providers
- Set standardized email signatures for users in a domain
So is this a vulnerability in the Google Mail Oauth API? Not sure. Google’s tweet suggests they are looking into that and will perhaps make some change there.
Walker Rowe is an American freelance tech writer and programmer living in Chile. He specializes in big data analytics, cybersecurity, and IoT and publishes the website SouthernPacificReview.com.
Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.
Be Informed. Stay One Step Ahead.
Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies