Tuesday, May 9, 2017

Google Docs and the Mailinator

   You're minding your own business, just checking email, when you get an email from a "friend" inviting you to get a shared Google Doc file.

   You're a student of security, or at least a fan, so you're always skeptical when you receive an email with a link or attachment.  This one appears to come from someone you know.  The subject and body of the message seem consistent with a Google doc sharing message.

   Problem clue #1 - look at the "To:" line.  Clearly, this message wasn't sent to you.

   Problem clue #2 - were you expecting this email and file?  Has this sender sent you Google docs in the past?  Did this email arrive at work or home - and do you normally use Google docs there?

   But, you are rushed and don't have time to send your friend a message to see if this email is legit.  So you click.  If you're not already logged in to your Google account, you're asked to log in.  What you see next is...

   Now here's where it gets interesting.

   Problem clue #3 - look at those permissions.  This "document" wants to manage my email?  And my contacts???   Denied!  But many people clicked.  (see below for information on what to do if you did click)  The thing to remember here is that you should always look at what permissions an app wants and if you don't want to give those permissions, or if you don't understand those permissions... then don't click "Allow"!

   So what exactly happened here?  The "attacker" created a malicious app called "Google Docs".  When executed, it grabs your address book and sends a sharing message to your contacts.  When you click, you first log in to your legit Google account (if you're not already logged in).  The app then redirects you to a non-Google page that looks like a Google page and asks you to grant email and contacts management to the app.  If you click "Allow", you have allowed the app to use your Gmail login so it has access to your contacts... and the emails continue.

   The way Google grants permission without just sending your password is using something called OAUTH (pronounced o-wath).  I won't go into details here, but if you're interested, here are some good explanations.  The bottom line is that the app didn't need to steal your password to do this.  However, the app did control your gmail, and you likely have that connected to many other accounts.  This app could have easily changed your gmail password and possibly passwords to other accounts you own as well.  This is why your personal email is important to protect... because it's likely connected with so many other accounts.

   I do think that gmail is a very good service.  You should use it and protect it with 2-factor authentication.

   Note that for most people, this attack was on their personal gmail.  However, many companies use Google Apps as their enterprise "office" solution.  That means that some people's work email was compromised and that can lead to breaches or other problems.

   What should you do?  Whether you clicked or not, it's always important to understand what apps are connected with your Google account.  You can check that by going to https://myaccount.google.com/security?pli=1#connectedapps.  This will show you what apps are connected to your account.  If you don't recognize one, get rid of it!

   While you're there, at https://myaccount.google.com/security you can run a total security check of your Google account.  Do it!

   Finally, you can change your Google password, though this attack would not have stolen your password.  The attacker could have changed your password, but you'd probably know that!

   One more note... there is speculation that a student may have created this "virus" as an experiment and it got out of hand.  Stay tuned for more news...

1 comment: