Google Docs scams still pose a threat

Google Docs scams still pose a threat

The internet was ravaged by a 2017 worm. A researcher warns that it can happen again, despite the new security measures in place.

In May 2017, a phishing attack now known as “the Google Docs worm” spread across the internet. The scam used web apps to pretend to be Google Docs to gain deep access to Gmail account emails and contacts lists. Because the scam appeared to be from the targeted, the requests were so convincing. The app could distribute the exact same email scam to victims’ contacts if they allowed access. This would continue the worm. It eventually affected over a million accounts, before Google was able to contain it. However, new research shows that Google’s solutions don’t go far enough. A new viral Google Docs scam is possible at any moment.

Matthew Bryant, an independent security researcher says that Google Workspace scams and phishing are based in large part on manipulating legitimate services and features to abuse ends. Because they are confident in Google’s products, targets are more inclined to succumb to the scams. This tactic is also out of the reach of security scanners and antivirus software, as it’s web-based. It manipulates legal infrastructure.

Bryant presented research at the Defcon security conference in this month. Bryant discovered workarounds that attackers might use to bypass Google’s enhanced Workspace protections. The risk from Google Workspace hijinks are not just hypothetical. Recent scams have used the same approach to manipulate Google Workspace notifications to create phishing pages or links that look more legit and attractive to victims.

Bryant claims that all these issues are due to Workspace’s design. There are also opportunities to abuse the same features that allow Workspace’s platform to be flexible and adaptable. With more than 2.6 billion Google Workspace users, the stakes are high.

Bryant states that the design is flawed in the beginning, and this leads to security issues. These problems can’t be just fixed — most of them require long-term fixes. Although Google has tried to improve the site, these are risks that result from certain design choices. This would require fundamental improvement, which could mean re-architecting the site.

Google placed additional restrictions on apps that interface with Google Workspace after the 2017 incident. This included those that require sensitive access such as email addresses or contact information. These “Apps script” apps can be used by individuals, however Google supports them mainly for enterprise users to customize Workspace and extend its functionality. The enhanced protections mean that apps with more than 100 users must be submitted to Google to undergo a rigorous review before they can be released. Workspace will warn you about running an app with less than 100 users if it has not been approved.

Bryant discovered a loophole despite all the protections. These small apps will run without alerts, if an email is sent to you from someone within your Google Workspace organisation. You trust your coworkers enough to not need any alerts or warnings. These design decisions can open the door to attacks.

Bryant discovered that if Bryant shared a link to a Google Doc with one of these applications attached, and changed the word “edit” at the end to “copy”, users who open the link will be presented with a prompt to “Copy document”. Although you can close the tab at any time, if the user believes a document to be legitimate, and clicks on the link to create a copy of it, that makes them the owner and creator. The “developer” is also listed in any document that has embedded the app. The victim will be able to see their email address when they ask permission to open the app and access their Google account data.

Bryant discovered a way to get around the problem. An attacker could embed the lost elements in Google Workspace’s version of a task automation “macro,” which are very similar to the macros that are so often abused in Microsoft Office. An attacker can get access to malicious apps and take control of an account within an organization. This allows them to request permission to access other accounts in the same organisation without warnings.

A spokesperson for Google told WIRED that they are grateful to the researcher who identified and reported these risks. We are making product enhancements based upon this research.”

Bryant also discovered a variety of alternate routes and variations to circumvent the Workspace app restrictions. Workspace has the ability to confound the “developer” of an app in Google Workspace with the document’s “owner”, which can lead to some flexibility. An attacker could potentially create an Apps script app from any document created within the target organization by gaining edit access. This app will be trusted and have all of the rights of an internal app that was created using an internal account.

Bryant stresses that these are not specific Google Workspace bugs. He also said that there is no reason to panic about the possibility of more Google Docs Phishing. It’s the usual advice: Don’t open any documents other than those you are expecting. If you have questions about why you received a document, check with the sender.

These findings highlight the difficulty of minimising abuse on ubiquitous platforms designed for ease-of use and flexibility. Google Docs, even the most basic of platforms can be used to launch attacks that could potentially reach billions.

More Great WIRED Stories

Publited at Fri, 20 August 2021 20:41:22 (+0000).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.