Google Docs Scam Still Pose a Risk

 

A phishing attack known as the "Google Docs worm" proliferated over the internet in May 2017. It impersonated Google Docs and requested full access to Gmail accounts' emails and contact lists via specific web apps. Since the requests seemed to emerge from people the target knew, the scam worked so well. If they gave permission, the software would send the identical fake email to the victim's contacts, spreading the worm further. It affected over a million accounts before Google fixed the situation. 

However, a new study suggests that the company's solutions are insufficient. Another Google Docs phishing fraud might strike at any time. 

According to independent security researcher Matthew Bryant, Google Workspace phishing and scams draw most of their efficacy from abusing legal features and services. Targets are bound to succumb to the assaults since they trust Google's services. To a great extent, the strategy puts the action outside the domain of antivirus instruments or other security scanners since it's online and controls a legitimate framework. 

In research presented at the Defcon security meeting this month, Bryant found that attackers might actually use to move beyond Google's upgraded Workspace insurances. Recent scams utilized a similar general methodology of modifying genuine Google Workspace warnings and provisions to make phishing connections or pages look more real and interesting to targets. 

All of these problems, according to Bryant, arise from Workspace's conceptual design. The same qualities that make the platform versatile, adaptive, and sharing-friendly also make it vulnerable to misuse. The risks are significant, with over 2.6 billion Google Workspace users. 

“The design has issues in the first place, and that leads to all of these security problems, which can’t just be fixed—most of them are not magical one-off fixes. Google has made an effort, but these risks come from specific design decisions. A fundamental improvement would involve the painful process of potentially re-architecting this stuff,” he added. 

Following the 2017 incident, Google strengthened the rules for applications that interact with Google Workspace, particularly those that require essential data like emails or contacts. These “Apps Script” apps can be used by individuals, although Google mainly enables them so that corporate users can modify and enhance Workspace's features. With the additional restrictions in place, if an app has more than 100 users, the developer must submit it to Google for a thorough assessment before it can be released. Meanwhile, if people try to launch an app that hasn't been approved and has less than 100 users, Workspace will display a comprehensive warning page. 

Even with those safeguards in place, Bryant discovered a flaw. Such small applications can run without notifications if a user gets one attached to a document from someone in their Google Workspace organization. The notion is that users trust their coworkers sufficiently that they don't need to bother with strict cautions and notifications. These kinds of design decisions, on the other hand, leave possible attack points. 

“The design has issues in the first place, and that leads to all of these security problems, which can’t just be fixed.” 

Bryant discovered that by sharing a link to a Google Doc with one of these applications connected and modifying the word "edit" at the end of the URL to "copy," the user who accesses the link would get a visible "Copy document" popup. One can dismiss the tab, but if a user believes a document is genuine and clicks to create a copy, they become the creator and owner of that copy. They're also identified as the "developer" of the app, which is still there in the document. The victim would see their own email address in the popup when the program seeks permission to start and acquire their Google account data without any warnings.

Although not all of an app's elements would copy over with the document, Bryant found a method around this as well. An attacker can embed lost elements in Google Workspace's version of a task automation "macro," which is quite identical to the Microsoft Office macros that are frequently exploited. 

Finally, an attacker might persuade someone inside a company to take ownership of and provide access to a malicious app, seeking access to other people's Google accounts inside the same company without notice. 

A Google spokesperson told WIRED, "We’re appreciative of the researcher’s work in identifying and reporting these risks. We are actively making further product improvements based on this research.” 

None of these flaws, according to Bryant, are exclusive to Google Workspace. He also adds that the possibility of future Google Docs phishing attacks shouldn't be a reason to worry. The classic piece of advice applies: Users should only open files they expect, and if not sure why they're getting a specific document, they should verify with the claimed sender. 

On the other hand, the findings highlight the difficulty of preventing misuse on omnipresent platforms designed for flexibility and simplicity. Even something seemingly harmless like Google Docs may rapidly become a launchpad for an attack, possibly affecting billions of people.