In May 2017, Phishing attack now called “Google Docs Worm” Spread on the internet. It uses a special web application to simulate Google Docs and request in-depth access to the email and contact list in the Gmail account. The scam is so effective because the requests seem to come from people the target knows. If they grant access, the app will automatically distribute the same scam email to the victim’s contacts, making the worm permanent. Before Google successfully contained, the incident eventually affected more than one million accounts. However, new research shows that the company’s repair measures are far from enough. Another viral Google Docs scam can happen at any time.
Independent security researcher Matthew Bryant said that most of the power of Google Workspace phishing and scams comes from manipulating legitimate functions and services to achieve abuse. Targets are more likely to be attacked because they trust Google products. This strategy also largely puts activities outside the scope of anti-virus tools or other security scanners because it is network-based and manipulates legitimate infrastructure.
In research published at this month’s Defcon Security Conference, Bryant discovered workarounds that attackers might use to bypass Google’s enhanced Workspace protection. The risks of Google Workspace hijinks are not just theoretical.Several Recent scam Use the same general method of operation Real Google Workspace notification And the function to make the phishing link or page look more legitimate and attract the target.
Bryant said all these problems stem from the conceptual design of Workspace. The same functionality that makes the platform flexible, adaptable, and sharing-oriented also provides opportunities for abuse.With more than 2.6 billion Google Workspace users, The stakes are high.
“The design first had problems, which led to all these security issues, and these problems cannot be fixed simply-most of them are not magical one-time fixes,” Bryant said. “Google has made efforts, but these risks come from specific design decisions. Fundamental improvements will involve the painful process of rebuilding these things.”
After the 2017 incident, Google added more restrictions on the applications that can interact with the Google Workspace, especially those that request any type of sensitive access, such as email or contacts. Individuals can use these “Apps Script” applications, but Google mainly supports them so that business users can customize and extend the functionality of Workspace. With enhanced protection, if an application has more than 100 users, the developer needs to submit it to Google for a well-known rigorous review process before it can be distributed. At the same time, if you try to run an application that has less than 100 users and has not been reviewed, Workspace will show you a detailed warning screen, and it is strongly recommended that you do not continue.
Even with these protective measures, Kobe still found a loophole. If you receive applications attached to documents from someone in your Google Workspace organization, these small applications can run without alerts. The idea is that you trust your colleagues enough, without the hassle of strict warnings and alerts. However, these types of design choices leave potential opportunities for attacks.
For example, Bryant discovered that by sharing a link to a Google Doc to which one of these applications was attached and changing the word “edit” at the end of the URL to the word “copy”, users who opened the link would see a prominent “copy document” hint. You can also close the tab, but if users believe that a document is legitimate and click to copy, they will become the creator and owner of the copy. They are also listed as the “developer” of the application that is still embedded in the document. Therefore, when the application asks to run and gain access to its Google account data-without additional warning-the victim will see their own email address in the prompt.
Not all components of the application are copied along with the documentation, but Bryant has also found a solution to this problem.Attackers can embed missing elements into the “macro” version of Google Workspace’s task automation, which is the same as Often abused In Microsoft Office. Eventually, an attacker can let someone in the organization take ownership of the malicious application and grant it access, which in turn can request access to the Google accounts of other people in the same organization without warning.