Earlier this year, Google users encountered a unique and particularly devious phishing attack. Phishers have used Google Docs in various capacities for several years, most frequently creating phony forms to try to collect sensitive user data. During this enormous wave of phishing attempts, though, users received an email from one of their contacts with an edit invitation to a Google Doc. If clicked, you would see a screen asking to allow an app called “Google Docs” to access your Google information, including your contacts.
In reality, this app was fake — the real Google Docs didn’t require additional permissions. With access to your account granted, the malicious document could then spread through your list of contacts as well. Shortly after news broke, Google disabled the fake app and put an end to the problem, but there was still a more basic vulnerability. It was too easy for apps to use false names, like the fake “Google Docs,” and users had no clear way to know which of these permissions requests were legitimate.
Now Google has rolled out new changes to the way users interact with apps to prevent a repeat of the attack. App developers have the option to “verify” their software with Google, undergoing a review process and certifying that it is safe to use. Web apps that ask for Google account permissions without this verification in place will now automatically display a warning to users. Google will warn users that the app is unverified, and will require additional user input to allow access to the app.
On these notices, users will also see that they risk putting their account data on the line by using such apps. These measures should be enough to stop most users from proceeding; Google can rely on the fact that users generally trust messages of this nature from them, especially as they are commonly used to stop users from landing on malware-laden pages or unsecured sites.
While phishers will keep looking for new ways to bait the hook and reel in users, Google has made this attack vector significantly less likely to work. Meanwhile, remember to exercise caution when clicking on potentially suspicious links in emails. If you aren’t expecting a document or an invitation from a friend, it can’t hurt to check with them to make certain it was intentional.