Difference between revisions of "DBSA:2017-05031"
(3 intermediate revisions by the same user not shown) | |||
Line 14: | Line 14: | ||
'''Last Modified:''' {{REVISIONTIMESTAMP}} by {{REVISIONUSER}} | '''Last Modified:''' {{REVISIONTIMESTAMP}} by {{REVISIONUSER}} | ||
− | '''Who should take note:''' All Google Users | + | '''Who should take note:''' All Google Users, Associated Contacts and G-Suite Administrators |
==Classification== | ==Classification== | ||
Line 33: | Line 33: | ||
Google is an Internet conglomerate that provides multiple services to the public. Of specific interest is GMail, an email service and Docs, an online office-style document creation and sharing services. | Google is an Internet conglomerate that provides multiple services to the public. Of specific interest is GMail, an email service and Docs, an online office-style document creation and sharing services. | ||
− | A phishing vulnerability has been discovered where due to | + | A phishing vulnerability has been discovered where due to to how Google Accounts is designed, an unauthorized third party may impersonate a user's known contact and may send a crafted malicious request to the target that may compromise a user's account through a malicious third party app. Once compromized, the app, hosted on the attacker's servers begins scanning the user's contacts and sending them like malicious requests. |
+ | |||
+ | As this phishing scheme uses Google's built-in authentication systems, users may not detect this scheme as phishing. | ||
+ | |||
+ | Three common points for this scheme involve the app identifying as "Google Docs", domain names including "docscloud"/"googledocs"/"gdocs" and the requests are addressed to "hhhhhhhhhhhhhhhh@mailinator.com" with the recipient in the BCC line. However this should not be solely relied upon for detection as there is evidence that this operation is mutating to use other identifiers. | ||
==Mitigation/Solution== | ==Mitigation/Solution== | ||
− | Users are advised to ignore (and NOT reject) all requests that they are not anticipating and verify through secondary means any requests they are anticipating. | + | Users are advised to ignore (and NOT reject), then delete all requests that they are not anticipating and verify through secondary separate contact means any requests they are anticipating. |
Users are advised not to reject requests as it can verify to an attacker that the target account is active and to pursue other possible means. | Users are advised not to reject requests as it can verify to an attacker that the target account is active and to pursue other possible means. | ||
+ | |||
+ | Those who have been exploited are advised to visit https://myaccount.google.com/u/0/permissions?pli=1 to revoke permissions. | ||
==Opinion== | ==Opinion== | ||
− | Google's Accounts infrastructure is of considerable complexity but deploys an overly simplistic user interface for users to manage | + | Google's Accounts infrastructure is of considerable complexity but deploys an overly simplistic user interface for users to authorize or manage permissions. |
==References== | ==References== |
Latest revision as of 23:31, 3 May 2017
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - Google/GMail/Docs Account Phishing Scheme
Keywords: Google, Google Docs, Phishing, Accounts, GMail
DBSA ID: 2017-05031
Regarding: Google/GMail Account Phishing Scheme
Writeup: Kradorex Xeron (talk) 23:11, 3 May 2017 (EDT)
Date: 2017 05 04
Last Modified: 20170503233147 by Kradorex Xeron
Who should take note: All Google Users, Associated Contacts and G-Suite Administrators
Classification
Priority: MODERATE
Rationale: Users must be increasingly vigilant to avoid being vulnerable.
Severity: HIGH
Rationale: Successful exploitation may result in full account compromise.
Spread of Issue: SINGLE-PLATFORM HIGH
Rationale: All Google Users are potential targets.
Description
Google is an Internet conglomerate that provides multiple services to the public. Of specific interest is GMail, an email service and Docs, an online office-style document creation and sharing services.
A phishing vulnerability has been discovered where due to to how Google Accounts is designed, an unauthorized third party may impersonate a user's known contact and may send a crafted malicious request to the target that may compromise a user's account through a malicious third party app. Once compromized, the app, hosted on the attacker's servers begins scanning the user's contacts and sending them like malicious requests.
As this phishing scheme uses Google's built-in authentication systems, users may not detect this scheme as phishing.
Three common points for this scheme involve the app identifying as "Google Docs", domain names including "docscloud"/"googledocs"/"gdocs" and the requests are addressed to "hhhhhhhhhhhhhhhh@mailinator.com" with the recipient in the BCC line. However this should not be solely relied upon for detection as there is evidence that this operation is mutating to use other identifiers.
Mitigation/Solution
Users are advised to ignore (and NOT reject), then delete all requests that they are not anticipating and verify through secondary separate contact means any requests they are anticipating.
Users are advised not to reject requests as it can verify to an attacker that the target account is active and to pursue other possible means.
Those who have been exploited are advised to visit https://myaccount.google.com/u/0/permissions?pli=1 to revoke permissions.
Opinion
Google's Accounts infrastructure is of considerable complexity but deploys an overly simplistic user interface for users to authorize or manage permissions.