DBSA:2017-05031

From Digibase Knowledge Base
Revision as of 22:11, 3 May 2017 by Kradorex Xeron (talk | contribs) (Created page with "{{DBSAHEAD | TITLE=Google/GMail/Docs Account Phishing Scheme | KEYWORDS=Google, Google Docs, Phishing, Accounts, GMail }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' Google...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Google/GMail/Docs Account Phishing Scheme

Keywords: Google, Google Docs, Phishing, Accounts, GMail

DBSA ID: 2017-05031

Regarding: Google/GMail Account Phishing Scheme

Writeup: Kradorex Xeron (talk) 23:11, 3 May 2017 (EDT)

Date: 2017 05 04

Last Modified: 20170503221114 by Kradorex Xeron

Who should take note: All Google Users and Associated Contacts

Classification

Priority: MODERATE

Rationale: Users must be increasingly vigilant to avoid being vulnerable.

Severity: HIGH

Rationale: Successful exploitation may result in full account compromise.

Spread of Issue: SINGLE-PLATFORM HIGH

Rationale: All Google Users are potential targets.

Description

Google is an Internet conglomerate that provides multiple services to the public. Of specific interest is GMail, an email service and Docs, an online office-style document creation and sharing services.

Due to how Google Accounts is designed, a phishing vulnerability has been discovered where an unauthorized third party may impersonate a user's known contact and may send a crafted request to the target that may compromise a user's account. As this phishing scheme does not rely upon a third party site and is strictly contained within Google's infrastructure, users may not detect this scheme as phishing.

Mitigation/Solution

Users are advised to ignore (and NOT reject) all requests that they are not anticipating and verify through secondary means any requests they are anticipating.

Users are advised not to reject requests as it can verify to an attacker that the target account is active and to pursue other possible means.

Opinion

Google's Accounts infrastructure is of considerable complexity but deploys an overly simplistic user interface for users to manage the noted complexity.

References