Note: Information for G-Suite domain Administrators located at the bottom of this write up.
Yesterdays email debacle was widespread and hit a large number of Gmail users worldwide. Many of the media outlets have touted the “dangerous attack” as “hacking” your email account and warned users not to open any Google Docs. However, this email in particular did not actually do any harm (beyond the annoyance of spamming millions of email accounts). After seeing the source code and the events that followed the incident, it is believed by many (myself included) that this was a proof of concept attack by a researcher to open Google’s eyes to a possible vulnerability. It worked, as Google moved swiftly to disable the app and put in safeguards to HELP combat similar and possibly more malicious attacks in the future. DO NOT be afraid to open Google Docs that are shared with you. DO read on for more information about how you can safeguard yourself from similar attacks in the future.
- What happened after you clicked open on the offending email is the problem, and it something that we have complete control over.
- The email linked to an authorization page (see screenshot below) that asked you to give an app called Google Docs (Not the actual Google Docs, Docs should never ask you for Gmail and Contact permissions), full access privileges to your gmail account and your contacts.
- If you clicked allow (rather than closing the page, or hitting deny), it installed an app with the ability to read your contacts and read/send email as you.
- The app script then sent that same message to every one of your contacts and an inbox on mailinator.com (the email@example.com address). Mailinator.com is a public inbox service that had no ties to the email and worked quickly to disable the inbox.
What can you do to protect yourself?
- Never open ANY email Attachments from an unknown source, and be careful when opening attachments from a known source.
- ALWAYS read and understand what permissions you are giving apps (Online, on your cellphone, on your computer, etc..). If the permissions seem overly invasive, ask questions.
- If you get a message that says a Google Doc is being shared with you, and it seems out of place, go to drive.google.com and click on the “Shared With Me” tab. Any real shared Google Docs will be located there.
- Go to https://myaccount.google.com/security and audit your account settings every once in a while. If you click on the “Connected apps & sites” tab, you can verify which apps have which permissions and disable any unused, over-reaching, or out of place apps.
- Here is more information for keeping your account secure from Google- https://support.google.com/accounts/answer/46526?hl=en
Notes for G-Suite Domain Administrators:
- It’s wouldn’t be a bad idea use GAM to delete and OAuth Tokens left behind by this incident.
- If you want to see anyone on your domain has these OAuth tokens, you can use the following command:
gam all users show token clientid xxxxxInsertTokenIDHerexxxxx
- If you want to see who has these tokens, and delete them, run this command in GAM
gam print users | gam csv – gam user ~primaryEmail delete token clientid xxxxxInsertTokenIDHerexxxxx
Known Token IDs to be removed.
- Reddit Thread: https://www.reddit.com/r/google/comments/692cr4/new_google_ docs_ phishing_scam_almost_undetectable/?st=j2altrri&sh=359d0503
- The Verge Article: https://www.theverge.com/2017/5/3/15534768/google-docs-phishing-attack-share-this-document-with-you-spam
- Script Payload: https://hastebin.com/gubegaqusi.xml
- Here is more information for keeping your account secure from Google: https://support.google.com/accounts/answer/46526?hl=en
May the 4th be with you (Happy Star Wars Day!),