Don’t trust OAuth: Why the “Google Docs” worm was so convincing

An evil phishing worm masquerading as “Google Docs” took the internet by storm today.

An e-mail from a friend or relative claims they shared a document with you.

Clicking on the “Open in Docs” button asked you to log in to Google, then it popped up a familiar OAuth request asking for some permissions.
If you click “Allow,” the permissions granted it full control over your e-mail and access to all your contacts.

The worm then e-mailed everyone in your contacts list, and did god-only-knows what else to the victim’s e-mail.
The interesting thing about this worm was just how convincing it was.

The e-mail was great—it used the exact same language as a Google Docs sharing e-mail and the exact same “Open” button.

Clicking on the link brought up an authentic Google login page, served up from Google’s servers. Then you were presented a real Google OAuth permissions page, also from Google’s servers.

The trick was that the app claiming to be “Google Docs” wasn’t really Google Docs. The screen showed a third-party app with the name “Google Docs” and a profile picture that matched the Google Docs logo.
Read 4 remaining paragraphs

Leave a Reply