Attacks like the Google Docs phishing scam that swept across the internet for an hour yesterday (May 3) will likely happen to other online services, thanks to a common login mechanism that is used by hundreds of websites.
The scam exploited the OAuth (for “open authorization”) protocol, which Google, Facebook, Twitter and many other services use to log users into multiple websites at once, and keep those users logged in indefinitely.
“[The] functionality of this campaign seems to be a modern incarnation of old e-mail macro viruses, such as the ILoveYou worm,” said Alex Heid, chief research officer at SecurityScorecard in New York.
“It is highly likely that the use of OAuth will be a common theme in future phishing campaigns,” Heid said. “This method is both effective from the standpoint of social engineering the victim, and the robust functionalities of OAuth apps allows attackers to expand the attack surface area.”
When you log into a service that uses OAuth, you create a “session token” that can be transferred to other sites and services, and log you into those as well. That’s how you can log into TweetDeck and Twitter at the same time, or log into hundreds of websites with your Facebook password.
“OAuth phishing isn’t going away,” said Jordan Wright, a research and development engineer at Duo Labs in Ann Arbor, Michigan, in a blog posting today (May 4).
“The success of this campaign suggests that we are likely to see more of this type of phishing moving forward,” Wright said. “These attacks are easy to automate, are cheap to set up, and, as we saw on Wednesday, are very effective.”
What You Need to Know (and What You Can Do)
The silver lining in yesterday’s attack was that there was no malicious payload, nor any theft of usernames or passwords. If you were affected, you do not have to change your Google password.
But you do need to go to https://myaccount.google.com/permissions and check to see if Google Docs is listed as a service that has access to your Google account. If so, remove it. (The real Google Docs has built-in access and won’t appear on the page.)
This isn’t OAuth’s first brush with infamy – an OAuth flaw disclosed almost exactly three years ago could have let anyone hijack your Google, Facebook, Twitter or Microsoft accounts.
Session tokens do have a finite lifespan, but it’s often weeks long, as anyone who keeps themselves permanently logged into frequently used websites can testify. Every once in a while, you’ll have to log back in again, which is how you know your previous session token has expired.
However, logging out of such services will kill a session token. The catch is that you must log off on all the desktop or laptop computers you may regularly use. (Apps and browsers on mobile devices are at less risk.)
One way to avoid OAuth abuse is to log off Facebook, Twitter, Gmail and any other online service as soon as you’re done using it on a computer. You’ll have to log back in next time, which is kind of a pain, but at least you’ll know that no one else can steal your token and log in without your permission
Why the Attack Worked So Well
Yesterday’s attack tricked its victims into generating an OAuth token for a fake Google Docs service, and deceived the user into granting the fake Google Docs access to their Gmail accounts. With that OAuth token, the phony service could hijack Gmail.
The phony service automatically sent emails to everyone in a victim’s address book, asking them to view a Google Docs document. If a victim clinked on the “View in Docs” button in the email message, he or she was presented with a pop-up windows asking permission to give Google Docs permission to access Gmail, and the cycle repeated itself.
Whether you had enabled two-factor authentication on your Google account made no difference — OAuth presumes that you’re fully authorized already, and blows right by 2FA.
“Because OAuth phishing avoids the typical red flags users have grown accustomed to with email phishing (that is, unfamiliar or spoofed URL link, sign-in request, or attached file), it is likely to have a higher rate of success and may even confound more experienced and competent users,” wrote Greg Martin, CEO of Jask, a cybersecurity firm in San Francisco, on the Dark Reading website.