Don’t trust OAuth: Why the “Google Docs” worm was so convincing

An evil phishing worm masquerading as "Google Docs" took the Internet by storm today. It sent an e-mail claiming to be from a friend or relative who wanted to share a document with you. Clicking on the "Open in Docs" button asked you to log in to Google, then it popped up a familiar OAuth request asking for some permissions. If you clicked "Allow," the permissions granted it full control over your e-mail and access to all your contacts. The worm then e-mailed everyone in your contacts list before doing god-only-knows what else to the victim's e-mail.

The interesting thing about this worm was just how convincing it was. The e-mail was great—it used the exact same language as a Google Docs sharing e-mail and the exact same "Open" button. Clicking on the link brought up an authentic Google log-in page, served up from Google's servers. Then you were presented a real Google OAuth permissions page, also from Google's servers. The trick was that the app claiming to be "Google Docs" wasn't really Google Docs. The screen showed a third-party app with the name "Google Docs" and a profile picture that matched the Google Docs logo.

The only way to tell the whole thing was a scam was to click the down arrow next to the "Google Docs" name. This showed you the developer info, which, rather than Google, was a random person with the e-mail "eugene.pupov@gmail.com." Genuine Google apps use OAuth all the time, but if you open the developer info you'll see something with an "@google.com" e-mail. Also, rather than redirecting you to a Google page, the phish tried to load a few different "Google sounding" URLs, in this case "googledoc.g-docs.pro."

The downside (or upside?) to having a worm so closely tied to Google's infrastructure is that Google has some control over it. The company shut down the OAuth request and redirected users to an error page. Google also auto-revoked the permissions from everyone's account. For a time, the worm had total access to the victim's e-mail, so, in addition to spamming all your contacts, it could have copied all your e-mails (and all your Hangouts chats) to a third-party server. In the future, this method could be used for more phishing attempts, since the nefarious party knows your e-mail and product combinations. It could also be used for a public dump of VIP e-mails, like what happened to the DNC.

Google issued a statement on the phishing attempt, saying:

We have taken action to protect users against an e-mail impersonating Google Docs & have disabled offending accounts. We’ve removed the fake pages [and] pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing e-mails in Gmail.

In the future, I think we'll need to see a redesign of how Google's OAuth pages work. The problem is that the true entity to which you're granting permissions in Google's OAuth interface is buried under a drop-down window. Right now, the interface really relies on the app developer not lying about its name and app logo, and that's just not good enough.