Google Docs Scams Pose Another Threat
In May 2017, a phishing attack now known as “the Google Docs worm” spread on the internet. It uses special web applications to mimic Google Docs and request deep access to emails and contact lists in Gmail accounts. The scam is very effective because the requests appear to be from people who know the target. If they grant access, the app automatically delivers the same scam email to the victim’s contacts, so the wate continues. The incident eventually affected more than a million accounts before it was successfully covered by Google. However, new research shows that the company’s fixes aren’t coming hard enough. Another viral Google Docs scam could happen at any time.
Google Workspace phishing and scams derive most of their power from manipulating legitimate forms and services to abusive ends, says independent security researcher Matthew Bryant. Targets are more likely to fall prey to attacks because they rely on Google’s offers. Much of the tactic also puts activity outside of the expertise of antivirus tools or other security scanners, as they are web -based and manipulate legitimate infrastructure.
In research presented at Defcon’s security conference this month, Bryant found working solutions that attackers could use to break through Google’s enhanced Workspace protections. And the risk of Google Workspace hijinks is not just theoretical. A number of now recent scams use the same general maneuvering method real Google Workspace announcements and forms so that phishing links or pages look more legitimate and attract targets.
Bryant said all of the issues come from the conceptual design of Workspace. The same features that make the platform comfortable, adaptable, and learnable to share also offer opportunities for abuse. That there is more to 2.6 billion Google Workspace users, the stakes are high.
“The scheme has issues at first, and that leads to all sorts of security problems, which just can’t be solved – most of them aren’t magic fixes that go from place to place. us aka mahikal, “Bryant said. “Google is making an effort, but these risks come from specific design decisions. The initial improvement will go along with the pain process that can be re-architectural in this matter.”
Following the 2017 incident, Google added several restrictions on apps that could communicate with Google Workspace, particularly those requesting any otherwise sensitive access, such as emails or contacts. Individuals can use “Apps Script” apps, but they are primarily supported by Google to customize and extend the functionality of Workspace to business users. There are strengthening protections, if an app has more than 100 users the developer must submit it to Google for a notoriously cumbersome review process before it can be distributed. Meanwhile, if you try to run an app with a little over 100 users and haven’t checked yet, Workspace will show you a detailed warning screen that strongly prohibits you from proceeding.
Even with the protections in place, Bryant found a hole. Small apps can run without alerts if you receive one attached to a document from someone in your organization on Google Workspace. The idea is that you trust your colleagues without the hassle of intricate warnings and alerts. However, those kinds of plot options leave potential openings for attacks.
For example, Bryant found that by sharing a link to a Google Doc that had one of the apps included and changing the word “edit” at the end of the URL to the word “copy,” the a user who opens the link will find a famous “Copy document” quickly. You can also close the tab, but if a user thinks a document is legitimate and clicks to make a copy, they can become the creator and owner of the copy. They are also listed as “developers” of the app that is still embedded in the document. So if the app asks for permission to run and access their Google account data-no further warnings-the victim will see their own email address immediately.
Not all components of an app will copy the document, but Bryant also found a way. An attacker can insert missing elements in the Google Workspace version into a “macro” task, which is similar to macros that constantly abused in Microsoft Office. Later, an attacker can take anyone in an organization’s owner and grant access to a malicious app that can also request access to other users ’Google accounts. person within the same organization without any warnings.