Gogole docs phoishing8/17/2023 ![]() Some of these accounts might even be bank accounts or related to some other financial services, so the frequency with which these attacks are occurring is a definite cause for alarm that many would want to work towards reducing. Having fun yet? These stories get to the heart of the matter.A phishing attack can be a devastating thing for the average consumer to experience because of the fact that this is the sort of thing that could potentially end up resulting in them losing access to their various accounts. It's Complicated: This is dating in the age of apps. Unfortunately, there are hundreds of thousands of apps that use OAuth, and not enough time for most people to find all the permissions pages for them.ĬNET Magazine: Check out a sampling of the stories you'll find in CNET's newsstand edition. On Android 6.0 devices, you can revoke permissions on Application Manager in your settings. Most services that rely on OAuth will have a page where you can manage your permissions, like Twitter's Applications page. If the fake app is shut down, as Google did with the hoax Google Docs, the permission would also be automatically revoked.įor other services using OAuth, it might not be as simple. In Google's case, you can revoke the permissions by going to. Luckily, the fix is easier to handle than if you fell for a standard phishing exploit. So, what should I do if I fell for something like the Gmail phishing scam? "The applications themselves are not required to have a second factor once the user has granted permissions," according to Cisco's research. So when hackers use OAuth exploits, they don't need to enter a password - the victim duped into giving permission already did. Multifactor authentications work by prompting you to enter a security code when you try logging in through a password.Īgain, in this exploit, passwords are not the entry point. Why doesn't multifactor authentication stop OAuth exploits? You would need to revoke the permissions to kick out the intruders. If a password is a key locking your account's doors, OAuth is a doorman who has the keys and who gets tricked into letting other people in. OAuth doesn't work through passwords, it works through permission tokens. In the Google Docs scheme, the attacker created a fake version of Google Docs and asked for permission to read, write and access the victim's emails.īy granting the OAuth exploit permission, you've effectively given the bad guys access to your account without needing a password. With OAuth exploits, as in the case of the Google Docs scam, accounts can be hijacked without the user typing in anything. How was the Google Docs exploit different from typical phishing attacks?Ī typical phishing attack populates a website meant to trick you into typing your password, sending sensitive information to the thief or logging it in a database. "Now that this technique is widely known, it's likely to pose a significant problem - there are so many online services which use OAuth and it's difficult for them to fully vet all of the third-party applications out there," said Greg Martin, CEO of cybersecurity firm Jask, in an email. ![]() In the last three years, apps that use OAuth jumped from 5,500 to 276,000, according to Cisco Cloudlock. Think about how your Amazon Alexa can read off your Google Calendar events, or how your Facebook friends can see what song you're listening to on Spotify. OAuth, which stands for Open Authorization, lets apps and services "talk" to each other without logging into your accounts. The phishing scam relied on OAuth exploitation, a rare scheme that exposed itself to the world on Wednesday. ![]() And the typical phishing detection that Gmail offers couldn't block it because the attack didn't even need victims to type in their passwords. Google quickly shut down the attack, which affected about 0.1 percent of Gmail's users.Įven at that low number, with roughly 1 billion Gmail users, that's still at least 1 million people being compromised. On Wednesday, a massive Google Docs phishing attack spread across Gmail, hijacking people's accounts and spamming itself to the victims' contact lists. It's a phishing scheme that even multifactor authentication and changing your password won't fix. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |