Don’t trust OAuth: Why the “Google Docs” worm was so convincing


An evil phishing worm masquerading as "Google Docs" took the Internet by storm today. It sent an e-mail claiming to be from a friend or relative who wanted to share a document with you. Clicking on the "Open in Docs" button asked you to log in to Google, then it popped up a familiar OAuth request asking for some permissions. If you clicked "Allow," the permissions granted it full control over your e-mail and access to all your contacts. The worm then e-mailed everyone in your contacts list before doing god-only-knows what else to the victim's e-mail.

The interesting thing about this worm was just how convincing it was. The e-mail was great—it used the exact same language as a Google Docs sharing e-mail and the exact same "Open" button. Clicking on the link brought up an authentic Google log-in page, served up from Google's servers. Then you were presented a real Google OAuth permissions page, also from Google's servers. The trick was that the app claiming to be "Google Docs" wasn't really Google Docs. The screen showed a third-party app with the name "Google Docs" and a profile picture that matched the Google Docs logo.

Read 4 remaining paragraphs | Comments