Two days ago, there was a large phishing scam that plagued the internet. It was a Google Doc phishing attack perpetrated via Gmail. On Wednesday, a worm in the form of an email arrived in a lot of Gmail users' inboxes from contacts they knew. The email stated that a Google Doc document had been shared with them.

Email claiming a document had been shared Email claiming a document had been shared

If the user clicked the link to open the document, it immediately redirected the user to a Google account selection screen for authorization.

Google Account Selection Screen Google Account Selection Screen


If the user gave the fake app posing as Google Docs permission, it had the ability to read, send, delete and manage your email. It also had the ability to manage your accounts. These permissions allowed the worm to replicate itself by sending itself to all your contacts.


Swift Combat Action From Google

Once Google got wind of this phishing scam, they swept into action by disabling the malicious accounts, removed fake pages and pushed updates through Safe Browsing to users within an hour. It is highly commendable that Google nipped it in the bud early enough.

Google Action Googlers taking charge

What to Do if You Granted Permission

If you already gave the fake Google Docs app permission, here is how to protect yourself.

  1. Head over to https://myaccount.google.com/permissions.
  2. Find the app named Google Docs.
  3. Revoke the permission by clicking the Remove button.

How to Avoid Phishing Scams

Phishing scams have been around for a long time and they aren't going anywhere soon. Just last year, there was a case of a hacker who stole nude pictures from celebrities via a phishing scam that targeted iCloud accounts.

Here are a few tips to help you avoid falling victim to these scams.

  1. Look out for fake and forged Sites: Verify that the site is secure by ensuring that the URL starts with https:// instead of http. Look out for typos in the site name and URL.
  2. Install an anti-phishing toolbar: You can install these toolbars on your Internet browsers. They check the sites that you are visiting and compares them to lists of known phishing sites.
  3. Beware of links and attachments in your emails: Before you click on a link in your email, hover over it and check if the link actually links to a legitimate secure site. Don't click on links that appear in random emails and instant messages.
  4. Regularly update your browser.
  5. Beware of pop ups: Virtually all browsers allow you to block pop-ups, so you can set that as the default action. You can allow pop-ups sparingly when you actually need them.

Aside: Implementing API Authorization with Auth0

This phishing attack took advantage of the OAuth protocol, a convenient way for internet accounts to link with third-party applications. Users don't have to hand over any password information. They just grant permission to a third party app.

One of the features Auth0 provides is API Authentication and Authorization using the OAuth 2.0 authorization framework. Auth0's API authorization features allow you to manage the authorization requirements for server-to-server and client-to-server applications. If you want to use Auth0 authentication to authorize API requests, note that you'll need to use a different flow depending on your use case.

In addition, our ODIC Conformant Authentication pipeline allows you to create third-party clients for your APIs and display consent dialogs for authorization.

If a user is authenticating through a third-party client and is requesting authorization to access the user's information or perform some action at an API on their behalf, they will see a consent dialog like so:

Consent Dialog Consent Dialog

If the user chooses to allow the application, this will create a user grant which represents this user's consent to this combination of client, resource server and scopes. The client application will then receive a successful authentication response from Auth0. However, if a user decides to reject consent to the application, they will be redirected to the redirect_uri specified in the request with an access_denied error like so:


HTTP/1.1 302 Found
Location: https://fabrikam.com/contoso_social#
    error=access_denied
    &state=...

Conclusion

At Auth0, we are crazy about security. I hereby recommend this personal information security identity guide for you, your friends and family. Take the time to go through this guide and protect yourself from cybercriminals and phishing scams.