DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Coding
  3. Languages
  4. Google Docs Phishing Scheme: OAuth as an Attack Vector

Google Docs Phishing Scheme: OAuth as an Attack Vector

By now you've probably heard of the Google phishing attack. In this article, we go into how OAuth was used as an attack vector, and how to prevent such attacks.

Sateesh Narahari user avatar by
Sateesh Narahari
·
May. 17, 17 · Tutorial
Like (4)
Save
Tweet
Share
2.16K Views

Join the DZone community and get the full member experience.

Join For Free

OAuth is a very good security standard that has been carefully designed to balance user experience and security and is a solid security protocol that has been used across many apps. OAuth is a standard many SaaS vendors support for REST API access. When something is as popular as OAuth, it quickly becomes an attractive target for hackers and bad guys, like with the recent Google Docs attack.

There are indications that Russian-based spies are starting to leverage loopholes in end-user cognition to get access to corporate data. This is a clever mix of social engineering and exploiting user familiarity. The goal is to conduct corporate or political espionage or to use the data to demand a ransom from targeted companies. Trend Micro has dubbed this attack “Pawn Storm.”

This Gmail attack works by asking the user to grant permissions to specific capabilities in Google G Suite, including the ability to read and write emails and documents, and access user information such as name, email address, age, etc. Below are some potential scenarios:

  • An email sent from what appears to be the CEO to CFO authorizing payment to a third party.
  • CryptoLocker-style attacks.
  • Analyze sharing behavior and identify with which other domains the company has been sharing documents.
  • A targeted corporate espionage program intending to predict upcoming M&A or funding activities.

The sky is the limit for a skillful hacker once they get access to a targeted individual corporate Gmail and G Suite account. A more sophisticated attacker might even plant their code and strike at the perfect moment for maximum impact. In the case of the recent Google Docs attack, it appears to have been carried out by an inexperienced hacker who went for maximum publicity instead of maximum damage (likely script kiddies, but we won’t ever know for sure). Fortunately, Google reacted quickly and shut them down. However, not every attack will be as visible as that one.

You can read about the Google Docs attack in this article on NetworkWorld.

Even some seemingly benign apps ask for broad permissions. For example, the Fox News app requests permission to read your email. That means that if the Fox News app is compromised, your organizational data may also be compromised. It’s never a good idea for employees to use corporate Gmail for these types of consumer applications, but they often do it anyway for convenience.

How to Protect Your Company Against Attack

Most advice on how to defend against this type of attack is focused on users checking the permissions they granted to different apps. However, this advice falls short for enterprises since it is harder to enforce due to limited visibility.

One great tool is ManagedMethods’ Cloud Access Monitor tool provides that critical visibility, so an administrator can review all the apps that employees have authorized and what permissions were granted to those apps:

Administrators can also search which apps have permission to read users’ emails or access documents in G Suite:

And finally, administrators can revoke access to these apps right from Cloud Access Monitor:

Google Docs security Google (verb) authentication Doc (computing) app Scheme (programming language)

Published at DZone with permission of Sateesh Narahari, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • The Quest for REST
  • A Real-Time Supply Chain Control Tower Powered by Kafka
  • How Do the Docker Client and Docker Servers Work?
  • Why Does DevOps Recommend Shift-Left Testing Principles?

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: