Contact list management app maker Plaxo told CNET today that it has shut a back door that spammers were using to stealthily access Google accounts.
"A malicious party has obtained on their own, not through Plaxo, a set of Google account credentials," said Preston Smalley, general manager at Plaxo. "They've used our server, which is meant to allow customers to access their own Google accounts, to gain access to those accounts they already had. That made it difficult for Google to detect that (unauthorized) activity because they came through our IP address as a proxy."
Google has been fighting off an attack from this source for some time, Smalley said. The source changed its technique and had begun using the Plaxo backdoor in the last 48 hours or so, he added.
"Google and Plaxo detected what was going on, and we have temporarily shut down that service, which means our customers no longer have access to Google through that API," Smalley said. So users will not be able to sync their Google contacts.
Google has sent e-mails to potentially tens of thousands of Google account holders, warning them of suspicious activity, if they had accessed Google through the Plaxo APIs recently, whether or not they were affected by the potentially unauthorized access, according to Smalley. Google account holders are being advised to change their passwords.
"As a precautionary measure, Google temporarily disabled all Plaxo's connections to Gmail address books and calendars, including the sync service associated with your account," Plaxo says in a blog post going up on its site today." As a result, all users of Plaxo's Google Sync service received a 'suspicious sign-in prevented' message."
A Google spokesman provided this statement: "Google provides notifications to users in various ways if we detect potentially suspicious activity on their account. For security and convenience, we consistently recommend that websites use OAuth if they want to offer their visitors a method to access their data stored with Google."
It's unclear how the attackers got the Google account passwords, and those accounts may still be at risk, until the account holders change the passwords.
In the meantime, Smalley blamed weak authentication with something called AB (Address Book) Widget, which enabled Plaxo and third-party sites to allow users to import their Gmail contacts. Plaxo will be dumping AB Widget and moving to the OAuth standard for accessing Google in the future. Plaxo already uses OAuth for new users who sign in through Google. OAuth ties the session to a specific computer, which will better enable Google to detect malicious activity, Smalley said.
Plaxo had planned to retire the AB Widget last October but delayed shutting it down for a variety of reasons, Smalley said. "We had identified that this was something that could be exploited," he said. "In hindsight, I wish we had shut it down earlier."
Here is the e-mail Google users were receiving:
Someone recently tried to use an application to sign in to your Google Account, email@example.com. We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:
May 8, 2012 8:15am GMT
IP Address: 18.104.22.168
Location: Sunnyvale, California, United States
If you do not recognize this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately. Find out how at http://support.google.com/accounts?p=reset_pw
If this was you, and you want to give this application access to your account, complete the troubleshooting steps listed at http://support.google.com/mail?p=client_login
The Google Accounts Team
Updated at 1:30 p.m. PT with Google statement and clarifies authentication standard name is OAuth and 11:23 a.m. PT with info from and link to Plaxo blog post and 11:07 a.m. PT with text of an e-mail sent to a Google user.