Google quickly disables phishing scheme, but vulnerability remains

Internet security is a real pain. Even when you have done everything right and locked everything down tight, a new attack comes along that leverages legitimate sites and services in stealing your private and sensitive data.

That is just what happened Wednesday, as a phishing scheme exploded that used Google’s own OAuth authentication system to grant access to a nefarious web app. Unlike other phishing schemes that use a fake internet address to lure the unexpecting, this attack merely popped up a Google authorization request with a misleading app title.

It’s important to note that Google responded quickly and removed the offending app, thus shutting down this particular phishing scheme. However, the phishing method itself does not seem to have been rectified. Here’s Google’s statement:

“We have taken action to protect users against an email impersonating Google Docs and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”

The issue was originally highlighted on Reddit, where Redditor JakeSteam provided a step-by-step recreation of the attack. The attack has also been seen in the wild by Digital Trends’ own staff, and so we can confirm that these steps are accurately described.

The process was relatively simple. A potential victim received an email offering to share a Google Doc.

phishing uses google docs authentication system scheme email

Clicking on the “Open in Docs” button popped up a legitimate Google account selection screen, which when clicked returned an equally legitimate Google authentication request to allow the app to access the user’s Gmail and Google contacts information.

phishing uses google docs authentication system login screen
Jake Steam/Reddit

It’s only by clicking on the Google Docs’ developer link that the typical user’s suspicion level might be raised. The problem here is that many people might trust an offer to share a Google Docs file and then it would make perfect sense that Google Docs might be the system requesting access.

If you’ve already fallen prey to this phishing scheme, then you will want to disallow that app from accessing your data. You can do that by visiting the Connected Apps and Sites section of Google’s security page and clicking “Manage Apps.” Then click on the Google Docs app in the list, and hit the “Remove” button. Now might be a good time to review all of your connected apps and remove any that aren’t legitimate.

The primarily lesson here is the same as it has been for a long time now: If you aren’t expecting a shared file, then don not click anything when one is offered. If you are not sure who the file is from, then look into the sender and make sure it’s someone you trust.

Google will likely be looking into this issue and hopefully figuring out a way to resolve it. This particular phishing attack was shut down, but the ability to use Google’s legitimate authentication system for attacks is worrisome.


Nvidia faces attacks from AMD, Intel, and even Google. Should it be worried?

Nvidia announced an expanded array of RTX server solutions designed to leverage the power of ray-tracing at GTC 2019. The effort will help Nvidia take on Google's Stadia in game streaming with GeForce Now, and the company's investments in…

You don't have to spend a fortune on a PC. These are the best laptops under $300

Buying a laptop needn't mean spending a fortune. If you're just looking to browse the internet, answer emails, and watch Netflix, you can pick up a great laptop at a great price. These are the best laptops under $300.

Don’t be fooled! Study exposes most popular phishing email subject lines

Phishing emails are on the rise and a new study out by the cybersecurity company Barracuda has exposed some of the most common phishing email subject lines used to exploit businesses. 

Don't take your provider's word for it. Here's how to test your internet speed

If you're worried that you aren't getting the most from your internet package, speed tests are a great way to find out what your real connection is capable of. Here are the best internet speed tests available today.

How to change your Gmail password in just a few quick steps

Regularly updating your passwords is a good way to stay secure online, but each site and service has their own way of doing it. Here's a quick guide on how to change your Gmail password in a few short steps.

How 5G networks will make low-latency game streaming a reality

Faster speeds and more bandwidth are some of the many promises that 5G can deliver, but for gamers, the most important thing is low latency. To achieve low latency, carriers like AT&T and Verizon are exploring hybrid models for game…
Emerging Tech

Awesome Tech You Can’t Buy Yet: Robotic companions and computer-aided karaoke

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it's fun to gawk!

Time to do taxes? Save up to 50 percent on H&R Block tax software this weekend

Tax season is stressful, and with new tax laws in effect this year, it's not a bad idea to get some help. H&R Block has you covered: For two days only, you can save 50 percent on its great software so you can file your taxes online and save…

Stop dragging windows on your Mac. Here's how to use Split View to multitask

The latest iterations of MacOS offer a native Split View feature that can automatically divide screen space between two applications. Here's how to use Split View on a Mac, adjust it as needed, and how it can help out.

Breeze through security with these checkpoint-friendly laptop bags

Getting through airport security is a drag, but your laptop bag shouldn’t be. Thankfully, these checkpoint-friendly laptop bags will get you and your gear to your destination with ease.

The new iMacs push on iMac Pro territory, but how much power do you really need?

With Apple refreshing the higher-end iMacs with newer processors and graphics cards, it moves closer to the iMac Pro. In this guide, we consider the performance, features, and help make sense of the differences between the two.

Protect your expensive new laptop with the best Macbook cases

If you recently picked up a new MacBook, you’ll want something to protect its gorgeous exterior. Here, we've gathered the best MacBook cases and covers, whether you're looking for style or protection.

Worried about your online privacy? We tested the best VPN services

Browsing the web can be less secure than most users would hope. If that concerns you, a virtual private network — aka a VPN — is a decent solution. Check out a few of the best VPN services on the market.

Which mid-range Nvidia Turing graphics card should you buy?

Nvidia's top mid-range cards are all solid performers, but which offers the best bang for buck? To find out where you should spend your money on your next big upgrade, we pitted the GTX 1660 vs. GTX 1660 Ti vs. RTX 2060.