Google has pledged to fix an issue in its OAuth implementation that allowed scammers to construct phishing mails that looked like they were from the web giant, after initially saying the function was acting as intended.
The “extremely sophisticated phishing attack” was detailed by New Zealand based Nick Johnson in this Twitter thread.
Johnson, founder and lead developer at Ethereum Name Service, detailed how attackers were able to create what appeared to be a “valid signed mail – it really was sent from no-reply@google.com” that attempted to direct him to a “very convincing” but fake “support portal”. The message claimed that “law enforcement” was demanding “retrieval of information contained in your Google Account.”
He said “They've cleverly used http://sites.google.com because they know people will see the domain is http://google.com and assume it's legit.” But, he continued, it was presumably a credentials harvesting exercise.
The legacy sites.google.com product, “supports arbitrary scrips and embeds” and makes it easy for attackers to build credential harvesting sites, he said.
However, the email represented a “much more sophisticated” attack vector and “obviously a security issue on Google’s part”, Johnson said. This involved creating a Google account for me@domain, and creating a Google OAuth app for the entire phishing message “newlines and all - followed by a lot of whitespace, and ‘Google Legal Support’.”
Granting the OAuth app access to the me@ account generates a “’Security Alert' message from Google, sent to their 'me@...' email address. Since Google generated the email, it's signed with a valid DKIM key and passes all the checks.”
The message is then sent to potential victims, Johnson said, and “Because DKIM only verifies the message and its headers and not the envelope, the message passes signature validation and shows up as a legitimate message in the user's inbox - even in the same thread as legit security alerts.”
The attack was also detailed earlier this month by easydmarc.
When Johnson submitted a bug report to Google, its security team closed the issue down, saying everything was “intended behaviour” and it would not track it as “a security bug”.
It also explained that Johnson’s efforts were not in scope for its Vulnerability Reward Program. It seems they saw the issue as more about email spoofing and social engineering than a bug as such.
However, Johnson wrote, shortly afterwards Google performed an about face, “and will be fixing the oauth bug”.
Johnson suggested in the thread that “the easy solution here is to limit OAuth application names” and to “limit them to something reasonable”.
A Google spokesperson said, “We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse. In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.”
The link has been copied!
