Google has known about the issue behind yesterday's wave of phishing attacks bearing links to Google Docs for at least five years.
Sharp-eyed and long-of-memory security types have reminded world+dog of this 2011 post to an IETF mailing list by developer André DeMarre, who way back then speculated that client name application spoofing could offer an interesting attack vector.
His post offered the following scenario to explain how such an attack could work:
Imagine someone registers a client application with an OAuth service, let's call it Foobar, and he names his client app "Google, Inc.". The Foobar authorization server will engage the user with "Google, Inc. is requesting permission to do the following." The resource owner might reason, "I see that I'm legitimately on the https://www.foobar.com site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow.
And that's more or less what happened when the phishing campaign hit yesterday. As we reported “The malicious email contains what appears to be a link to a Google Doc file. This leads to a legit Google.com page asking you to authorize 'Google Docs' to access to your Gmail account.” But the app called "Google Docs" was really another app altogether that used the same name and set in motion all manner of nastiness.
DeMarre's not only clever enough to have figured out this kind of attack, he reported it to Google in 2012 and says, over on Hacker News , that he even received “a modest bounty” for his troubles.
Google then told him that “We're deploying some abuse detection and reactive measures to deal with impostors that might try to abuse this sort of attack. Given this, we do not intend to perform validation that the URL matches the branding information.”
But DeMarre says Google subsequently chose not to implement the proposed defences, a decision that now looks short-sighted to say the least!
“To be clear, I'm not criticizing Google,” DeMarre's post adds. “Just presenting an interesting piece of information that shows the approach they've taken on this type of phishing attack in the past.”
“Phishing is a hard problem, and any technical solution will only go so far,” he continues. “The main criticism I have with many OAuth authorization dialogs, not just Google's, is that they often don't show enough information for technical users to vet the authenticity of the app. It's like if a web browser didn't show the address bar.” ®