A phishing attack known as the Google Docs Worm spread throughout the internet in May 2017. It used web applications to pretend to be Google Docs to request deep access to Gmail account emails and contact lists. Because the scam appeared to be from the target's friends, the requests were so convincing. The app would distribute the same scam email to victims' contacts if they granted access. This perpetuated the worm. It eventually affected over a million accounts before Google was able to contain it. However, new research shows that Google's solutions don't go far enough. A new viral Google Docs scam is possible at any time.
Matthew Bryant, an independent security researcher, says that Google Workspace scams and phishing are based in large part on manipulating legitimate services and features to abuse ends. Because they trust Google's services, targets are more likely fall for these attacks. This tactic is also out of the reach of security scanners and antivirus tools, as it's web-based. It manipulates legitimate infrastructure.
Bryant discovered workarounds that attackers might use to bypass Google's enhanced Workspace protections. Bryant presented his findings at the Defcon security conference. The risk of Google Workspace hijinks are not just hypothetical. Recent scams have used the same approach to manipulate Google Workspace notifications and features in order to make phishing pages or links look more legit and appealing to victims.
Bryant claims that all these issues are due to Workspace's design. There are also opportunities to abuse the same features that make Workspace flexible, adaptable and geared towards sharing. The stakes are high with more than 2.6 million Google Workspace users.
Bryant states that the design is flawed in the first place. This leads to security issues which cannot be fixed. Google has tried to improve the design, but there are risks associated with specific design decisions. This would require fundamental improvement, which could mean re-architecting the site.
Google placed additional restrictions on apps that interface with Google Workspace after the 2017 incident. This included those that require sensitive access such as email or contacts. These Apps Script apps can be used by individuals, but Google supports them primarily for enterprise users to customize and expand Workspace. The enhanced protections mean that apps with more than 100 users must be submitted to Google for a rigorous review before they can be distributed. Workspace will warn you about running an app with less than 100 users if it hasn't been approved.
Bryant discovered a loophole despite all the protections. These small apps will run without alerts if they are attached to documents from your Google Workspace organization. You trust your colleagues enough to not need any alerts or warnings. These design choices can open the door to attacks.
Design issues are the problem in the first place. This leads to security problems that can't be fixed. Security researcher Matthew Bryant
Bryant discovered that if Bryant shared a link to a Google Doc with one of these apps attached, and changed the word edit at end of URL to the word text, users who open the link will see a prompt to copy the document. Although you can close the tab, if the user believes the document is genuine and clicks through for a copy, that copy becomes theirs. They are also listed as the app's developer if the app is still embedded in the document. The victim will be able to see their email address when the app asks them permission to run the app and access their Google account data.
Bryant discovered a way to get around this problem. An attacker could embed the missing elements in Google Workspace's version a task automation macro. These macros are very similar to those used in Microsoft Office. An attacker could eventually get access to the malicious app and take control of it. This allows them to request access to other Google accounts in the same company without warning.
