Google quickly disables phishing scheme, but vulnerability remains

Internet security is a real pain. Even when you have done everything right and locked everything down tight, a new attack comes along that leverages legitimate sites and services in stealing your private and sensitive data.

That is just what happened Wednesday, as a phishing scheme exploded that used Google’s own OAuth authentication system to grant access to a nefarious web app. Unlike other phishing schemes that use a fake internet address to lure the unexpecting, this attack merely popped up a Google authorization request with a misleading app title.

It’s important to note that Google responded quickly and removed the offending app, thus shutting down this particular phishing scheme. However, the phishing method itself does not seem to have been rectified. Here’s Google’s statement:

“We have taken action to protect users against an email impersonating Google Docs and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”

The issue was originally highlighted on Reddit, where Redditor JakeSteam provided a step-by-step recreation of the attack. The attack has also been seen in the wild by Digital Trends’ own staff, and so we can confirm that these steps are accurately described.

The process was relatively simple. A potential victim received an email offering to share a Google Doc.

phishing uses google docs authentication system scheme email

Clicking on the “Open in Docs” button popped up a legitimate Google account selection screen, which when clicked returned an equally legitimate Google authentication request to allow the app to access the user’s Gmail and Google contacts information.

phishing uses google docs authentication system login screen
Jake Steam/Reddit

It’s only by clicking on the Google Docs’ developer link that the typical user’s suspicion level might be raised. The problem here is that many people might trust an offer to share a Google Docs file and then it would make perfect sense that Google Docs might be the system requesting access.

If you’ve already fallen prey to this phishing scheme, then you will want to disallow that app from accessing your data. You can do that by visiting the Connected Apps and Sites section of Google’s security page and clicking “Manage Apps.” Then click on the Google Docs app in the list, and hit the “Remove” button. Now might be a good time to review all of your connected apps and remove any that aren’t legitimate.

The primarily lesson here is the same as it has been for a long time now: If you aren’t expecting a shared file, then don not click anything when one is offered. If you are not sure who the file is from, then look into the sender and make sure it’s someone you trust.

Google will likely be looking into this issue and hopefully figuring out a way to resolve it. This particular phishing attack was shut down, but the ability to use Google’s legitimate authentication system for attacks is worrisome.


How good are you at spotting phishing scams? Take this quiz to find out

Are you able to discern between a legitimate email and one that's a scam designed to phish for your personal information? Google created an online quiz with tips to help you better understand phishing so you don't become a victim.
Emerging Tech

Facebook hasn’t given up on the idea of building an internet drone

Facebook's efforts to provide internet connectivity from the skies using solar-powered drones suffered a blow last year when the company abandoned its "Aquila" drone project. But the company clearly hasn't given up on the idea.

Popular Android navigation apps are just Google Maps with ads, researcher says

A malware researcher found that 19 free Android navigation apps on the Google Play Store were nothing more than Google Maps, but with ads. One of the apps asked for a payment to remove the ads, while some of them presented security risks.

Switch up your Reddit routine with these interesting, inspiring, and zany subs

So you've just joined the wonderful world of Reddit and want to explore it. With so many subreddits, however, navigating the "front page of the internet" can be daunting. Here are some of the best subreddits to get you started.

Yes, you can use Android apps on your Chromebook. Here's how

You can now get Android apps on your Chromebook! Google has enabled the Google Play Store app support on its Chrome OS and Chromebook hardware, so to get you started, here's our guide on how to get Android apps on a Chromebook.

AMD’s Graphics Core Next successor could give a big boost to parallel computing

A published patent application from AMD has revealed a new type of graphics processor core which could make a big difference to the capabilities of its GPUs if it finds its way into them in the future.
Product Review

The Digital Storm Aventum X is an unstoppable gaming PC. Trust us, we tried

Packed with dual-Nvidia RTX 2080 Ti graphics card and a 9th-generation Intel Core i9 processor, the Aventum X is an infinitely upgradeable gaming PC that’s capable of far more performance than you’ll ever need.

Microsoft targets Chrome OS with $189 Windows 10 laptops for education

Microsoft announced seven new low-cost Windows 10 laptops, all priced under $300 to take on Chromebooks and iPads in the education market, along with a new Microsoft Allora stylus for students using the Surface Go tablet.

Lenovo patent hints at a future tablet with a folding screen

Folding devices are a new trend, and according to a recent patent, Lenovo is considering a foldable 2-in-1 with a hinge mechanism that would allow consumers to bend back the screen on the device. 

Wifi Porter is a high-tech block of wood that lets you share your broadband

Tired of manually connecting your guests to your home Wi-Fi network? The latest invention from the folks at Ten One Design, the WifiPorter, allow individuals to connect to your Wi-Fi with the tap of their phone, or by scanning an available…

Midrange Nvidia GTX 1660 Ti graphics card may be 20 percent faster than GTX 1060

In the freshest development in graphics card rumors, alleged benchmarks are showing that the GTX 1660 Ti graphics card could be as much as 20 percent faster when compared to the older GTX 1060. 

Work and play anywhere with these portable, large-screen monitors

Via a recent and successful Kickstarter campaign by Unick, a new line of portable, large-screen monitors has been announced. The Gemini Taihe line of monitors offers two models: the Gemini FHD and the Gemini UHD.

It took Dell years to fix 1 problem on its best laptop. Here’s how they did it

The new Dell XPS 13 moves the webcam from the below the screen to the top, finally vanquishing the one obstacle facing thin, sleek laptop displays. We have the exclusive story on how it was done.

Breeze through security with these checkpoint-friendly laptop bags

Getting through airport security is a drag, but your laptop bag shouldn’t be. Thankfully, these checkpoint-friendly laptop bags will get you and your gear to your destination with ease.