Archive for May 5, 2017

#Fail: Google Warned About Mass Phishing Attack SIX YEARS AGO

Posted in Commentary with tags on May 5, 2017 by itnerd

This week’s mass phishing attack aimed at Gmail users was stunning in terms of scale and how effective it was. At the time, I said this:

Google has apparently locked things down so that this attack doesn’t get worse. But expect it to be around for the next couple of days. That begs the question, why didn’t Google lock things down as a proactive measure?

Here’s the answer via Motherboard:

On October 4, 2011, a researcher speculated in a mailing list that hackers could trick users into giving them access to their accounts by simply posing as a trustworthy app.

This attack, the researcher argued in the message, hinges on creating a malicious application and registering it on the OAuth service under a name like “Google,” exploiting the trust that users have in the OAuth authorization process. OAuth is a standard that allows users to grant websites or applications access to their online email and social networking accounts, or parts of their accounts, without giving up their passwords. It is commonly used throughout the web, and typically shows up as a menu that lets you select which of your personal accounts (such as your Google or Facebook account) you want to use to sign into or connect to another service.

That’s exactly what happened this week. The researcher was Andre DeMarre who told Google about this and how to fix it by validating the URL used in a request to grant access to a social media or email account. Here’s what Google actually did:

A few months after he reported the issue, DeMarre said Google told him the following: “We’re deploying some abuse detection and reactive measures to deal with impostors that might try to abuse this sort of attack. Given this, we do not intend to perform validation that the URL matches the branding information.”

Because they didn’t address this six years ago, you now have wide scale pwnage as a result. In other words, this could all have been avoided but they couldn’t be bothered.

#Fail Google.

 

 

Advertisements