DBSA:2017-05031
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - Google/GMail/Docs Account Phishing Scheme
Keywords: Google, Google Docs, Phishing, Accounts, GMail
DBSA ID: 2017-05031
Regarding: Google/GMail Account Phishing Scheme
Writeup: Kradorex Xeron (talk) 23:11, 3 May 2017 (EDT)
Date: 2017 05 04
Last Modified: 20170503221114 by Kradorex Xeron
Who should take note: All Google Users and Associated Contacts
Classification
Priority: MODERATE
Rationale: Users must be increasingly vigilant to avoid being vulnerable.
Severity: HIGH
Rationale: Successful exploitation may result in full account compromise.
Spread of Issue: SINGLE-PLATFORM HIGH
Rationale: All Google Users are potential targets.
Description
Google is an Internet conglomerate that provides multiple services to the public. Of specific interest is GMail, an email service and Docs, an online office-style document creation and sharing services.
Due to how Google Accounts is designed, a phishing vulnerability has been discovered where an unauthorized third party may impersonate a user's known contact and may send a crafted request to the target that may compromise a user's account. As this phishing scheme does not rely upon a third party site and is strictly contained within Google's infrastructure, users may not detect this scheme as phishing.
Mitigation/Solution
Users are advised to ignore (and NOT reject) all requests that they are not anticipating and verify through secondary means any requests they are anticipating.
Users are advised not to reject requests as it can verify to an attacker that the target account is active and to pursue other possible means.
Opinion
Google's Accounts infrastructure is of considerable complexity but deploys an overly simplistic user interface for users to manage the noted complexity.