Why the Google Docs scam was a different kind of phishing

In an OAuth attack, hackers can get access to your account and you wouldn't even need to type a thing.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
Google logo reflected in a human eye.

Google shut down this week's Google Docs phishing attack quickly, but that doesn't mean we're all in the clear.

Chris Jackson/Getty Images

It's a phishing scheme that even multifactor authentication and changing your password won't fix.

On Wednesday, a massive Google Docs phishing attack spread across Gmail, hijacking people's accounts and spamming itself to the victims' contact lists. Google quickly shut down the attack, which affected about 0.1 percent of Gmail's users.

Even at that low number, with roughly 1 billion Gmail users, that's still at least 1 million people being compromised. And the typical phishing detection that Gmail offers couldn't block it because the attack didn't even need victims to type in their passwords.

The phishing scam relied on OAuth exploitation, a rare scheme that exposed itself to the world on Wednesday. OAuth, which stands for Open Authorization, lets apps and services "talk" to each other without logging into your accounts. Think about how your Amazon Alexa can read off your Google Calendar events, or how your Facebook friends can see what song you're listening to on Spotify. In the last three years, apps that use OAuth jumped from 5,500 to 276,000, according to Cisco Cloudlock.

"Now that this technique is widely known, it's likely to pose a significant problem -- there are so many online services which use OAuth and it's difficult for them to fully vet all of the third-party applications out there," said Greg Martin, CEO of cybersecurity firm Jask, in an email.

How was the Google Docs exploit different from typical phishing attacks?

A typical phishing attack populates a website meant to trick you into typing your password, sending sensitive information to the thief or logging it in a database.

With OAuth exploits, as in the case of the Google Docs scam, accounts can be hijacked without the user typing in anything. In the Google Docs scheme, the attacker created a fake version of Google Docs and asked for permission to read, write and access the victim's emails.

By granting the OAuth exploit permission, you've effectively given the bad guys access to your account without needing a password.

Why can't I just change my password?

OAuth doesn't work through passwords, it works through permission tokens. If a password is a key locking your account's doors, OAuth is a doorman who has the keys and who gets tricked into letting other people in.

You would need to revoke the permissions to kick out the intruders.

Why doesn't multifactor authentication stop OAuth exploits?

Multifactor authentications work by prompting you to enter a security code when you try logging in through a password.

Again, in this exploit, passwords are not the entry point. So when hackers use OAuth exploits, they don't need to enter a password -- the victim duped into giving permission already did.

"The applications themselves are not required to have a second factor once the user has granted permissions," according to Cisco's research.

So, what should I do if I fell for something like the Gmail phishing scam?

Luckily, the fix is easier to handle than if you fell for a standard phishing exploit. In Google's case, you can revoke the permissions by going to https://myaccount.google.com/permissions. If the fake app is shut down, as Google did with the hoax Google Docs, the permission would also be automatically revoked.

For other services using OAuth, it might not be as simple. Most services that rely on OAuth will have a page where you can manage your permissions, like Twitter's Applications page. On Android 6.0 devices, you can revoke permissions on Application Manager in your settings.

Unfortunately, there are hundreds of thousands of apps that use OAuth, and not enough time for most people to find all the permissions pages for them.

CNET Magazine: Check out a sampling of the stories you'll find in CNET's newsstand edition.

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.