There was a sneaky phishing attack targeting Google Docs users designed to trick them into giving up access to their Google accounts, reported on Tuesday, which circulated for about three hours before Google could halt it.

The sophistication of the attack is somewhat different from past attacks, as it focuses on stealing access to a user's account rather than just obtaining the username and password.

The scam utilized a rogue app made to look just like the Google Docs app, which unsuspecting victims would grant permission to access their account.

It forwards potential victims a link that appeared to be a Google Docs from someone they know and then directed them to Google's account selection screen, and the emails looked legit but addressed to "hhhhhhhhhhhhhhhh@mailinator.com."

The scheme is to trick its victims to give it access, which it uses to send emails to that person's contact list, with the goal of targeting other victims.

The attacks were made possible by the abusing of the OAuth protocol, a means for internet services like Google, Twitter and Facebook to connect with third-party apps.

While the OAuth protocol doesn’t transfer any password information, but instead uses special access tokens that can access accounts, OAuth can be pretty dangerous if it falls in wrong hands.

Fortunately, Google was able to move quickly to mitigate the phishing attack, after a Reddit user reported about it.

How "rogue" app fooled Google Docs users to give up access to account



There was a sneaky phishing attack targeting Google Docs users designed to trick them into giving up access to their Google accounts, reported on Tuesday, which circulated for about three hours before Google could halt it.

The sophistication of the attack is somewhat different from past attacks, as it focuses on stealing access to a user's account rather than just obtaining the username and password.

The scam utilized a rogue app made to look just like the Google Docs app, which unsuspecting victims would grant permission to access their account.

It forwards potential victims a link that appeared to be a Google Docs from someone they know and then directed them to Google's account selection screen, and the emails looked legit but addressed to "hhhhhhhhhhhhhhhh@mailinator.com."

The scheme is to trick its victims to give it access, which it uses to send emails to that person's contact list, with the goal of targeting other victims.

The attacks were made possible by the abusing of the OAuth protocol, a means for internet services like Google, Twitter and Facebook to connect with third-party apps.

While the OAuth protocol doesn’t transfer any password information, but instead uses special access tokens that can access accounts, OAuth can be pretty dangerous if it falls in wrong hands.

Fortunately, Google was able to move quickly to mitigate the phishing attack, after a Reddit user reported about it.