Difference between revisions of "DBSA:2017-05031"

From Digibase Knowledge Base
Jump to: navigation, search
Line 41: Line 41:
  
 
Users are advised not to reject requests as it can verify to an attacker that the target account is active and to pursue other possible means.
 
Users are advised not to reject requests as it can verify to an attacker that the target account is active and to pursue other possible means.
 +
 +
Those who have been exploited are advised to visit https://myaccount.google.com/u/0/permissions?pli=1 to revoke permissions.
  
 
==Opinion==
 
==Opinion==

Revision as of 23:06, 3 May 2017

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Google/GMail/Docs Account Phishing Scheme

Keywords: Google, Google Docs, Phishing, Accounts, GMail

DBSA ID: 2017-05031

Regarding: Google/GMail Account Phishing Scheme

Writeup: Kradorex Xeron (talk) 23:11, 3 May 2017 (EDT)

Date: 2017 05 04

Last Modified: 20170503230624 by Kradorex Xeron

Who should take note: All Google Users and Associated Contacts

Classification

Priority: MODERATE

Rationale: Users must be increasingly vigilant to avoid being vulnerable.

Severity: HIGH

Rationale: Successful exploitation may result in full account compromise.

Spread of Issue: SINGLE-PLATFORM HIGH

Rationale: All Google Users are potential targets.

Description

Google is an Internet conglomerate that provides multiple services to the public. Of specific interest is GMail, an email service and Docs, an online office-style document creation and sharing services.

A phishing vulnerability has been discovered where due to to how Google Accounts is designed, an unauthorized third party may impersonate a user's known contact and may send a crafted request to the target that may compromise a user's account. As this phishing scheme uses Google's built-in authentication systems, users may not detect this scheme as phishing.

Two common points for this scheme involve domain names including "docscloud" that serve non-existent documents and the requests are addressed through "hhhhhhhhhhhhhhhh@mailinator.com". However this should not be relied upon for detection.

Mitigation/Solution

Users are advised to ignore (and NOT reject) all requests that they are not anticipating and verify through secondary means any requests they are anticipating.

Users are advised not to reject requests as it can verify to an attacker that the target account is active and to pursue other possible means.

Those who have been exploited are advised to visit https://myaccount.google.com/u/0/permissions?pli=1 to revoke permissions.

Opinion

Google's Accounts infrastructure is of considerable complexity but deploys an overly simplistic user interface for users to manage the noted complexity.

References