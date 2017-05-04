Google Was Warned About This Week's Mass Phishing Email Attack Six Years Ago (vice.com) 13
An anonymous reader quotes a report from Motherboard: For almost six years, Google knew about the exact technique that someone used to trick around one million people into giving away access to their Google accounts to hackers on Wednesday. Even more worrisome: other hackers might have known about this technique as well. On October 4, 2011, a researcher speculated in a mailing list that hackers could trick users into giving them access to their accounts by simply posing as a trustworthy app. This attack, the researcher argued in the message, hinges on creating a malicious application and registering it on the OAuth service under a name like "Google," exploiting the trust that users have in the OAuth authorization process. OAuth is a standard that allows users to grant websites or applications access to their online email and social networking accounts, or parts of their accounts, without giving up their passwords. "Imagine someone registers a client application with an OAuth service, let's call it Foobar, and he names his client app 'Google, Inc.'. The Foobar authorization server will engage the user with 'Google, Inc. is requesting permission to do the following,'" Andre DeMarre wrote in the message sent to the Internet Engineering Task Force (IETF), the independent organization responsible for many of the internet's operating standards. "The resource owner might reason, 'I see that I'm legitimately on the https://www.foobar.com/ site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow,'" DeMarre concluded. As it turns out, DeMarre claims he warned Google directly about this vulnerability in 2012, and suggested that Google address it by checking to see ensure the name of any given app matched the URL of the company behind it. In a Hacker News post, DeMarre said he reported this attack vector back then, and got a "modest bounty" for it.
Re: (Score:2)
It's a web app, not a mobile app, and this is a social engineering attack, not a hack, so the device doesn't matter. As such, you can fall prey to this exact scam while using a Mac, a Surface tablet running Windows, or an Android phone with the latest security updates.
"Allow?" Well, if you have to ask... (Score:2)
Re: (Score:1)
While I agree that there are risks for users storing their data in the cloud, it seems like Google should be liable for damage done by this attack. Google clearly was notified and was aware of the vulnerability, hence the bug bounty paid out.
Even worse, Google allowed a random person to create and distribute an app called "Google Doc". What the fucking fuck?
How is this Google's fault again? (Score:2)
'I see that I'm legitimately on the https://www.foobar.com/ [foobar.com] site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow,'"
Let's see. You're on the attacker's website and you trust it (apparently because it has https in the URL), and you trust Google, so you allow the attacker free access to your google account. How is this Google's fault again? I mean, you give access to your account to people you shouldn't and it's someone else's fault?
Re: (Score:2)
Would this require me to be logged in to google for this to work?
"Google, Inc." (Score:1)
Up next, new app scam named "Goggle, Inc.". Another 1 million people clicked on it.