Google locks down OAuth after ‘fake Docs’ Gmail phishing attack

Google has overhauled the rules for apps that use its version of the OAuth app authorization protocol to constrain apps it hasn’t verified. 

The OAuth protocol is a useful tool for connecting third-party apps to accounts on large platforms like Google, Twitter, and Facebook. 

The protocol relies on tokens to grant access to some account information from platform providers, however an attack on Gmail users in May demonstrated the protocol can easily be abused with a little social engineering. The indiscriminate attack on Gmail users followed several instances of suspected state-backed hackers using the same technique. 

Google in response said it would ramp up defenses against this type of attack and warned that changes will add “friction” to the process of publishing web applications that use OAuth. 

It hasn't been clear about how it would obstruct abuse of OAuth, but on Tuesday rolled out a new review process for Google OAuth clients that request sensitive information. Google will also start displaying new warnings for “unverified” apps. 

End-users may soon see the “unverified app” warning for apps that haven’t been reviewed by Google. The message is shown before the screen where users grant permission for an app to access account information. 

The screen itself contains a warning that “this app isn’t verified” beneath a red triangle with an escalation mark, and a note to “only proceed if you know and trust the developer”. 

As Google foreshadowed, the process does create a hurdle for web developers and moves the process for access to OAuth closer to the ‘walled garden’ approach of the Google Play store and Apple’s App Store. 

“If you create user-facing apps, go through the verification process before you launch your application. You can continue to build and test your application while waiting to complete verification. Upon successful completion of the process, the unverified app screen will be removed from your client,” Google notes in a support page for the new process. 

If developers make further changes to their app after the review it may beed to undergo another verification process. 

“Subsequent modifications of your client or the usage of new scopes after verification may require you to go through verification again.”

Google is however allowing some flexibility in it’s new policy. It will allow an unspecified number of users to proceed beyond the “unverified app” screen before enforcement. 

Tags malwareGoogleGmailphishing attacksApple App StoreOAuthPlay storeDocs

Show Comments