Ask HN: Google Doc email virus?

481 points by eof ↗ HN
We just received multiple "google doc shares" that seemed sketchy and were not sent by the claimed sender.

They came from different companies that have no connection to each other, I assume others are seeing them too right about now. Anyone know whats up?

219 comments

[ 3.4 ms ] story [ 251 ms ] thread
Same here. Several emails so far from different seemingly random companies and individuals with clearly malicious Google Docs requests w/ a suspicious param in the oauth request in the link:

"&redirect_uri=3Dhttps%3A%2F%2Fgoogledocs.docscloud.info%2Fg.php&customparam=3Dcustomparam"

Seeing an alternate redirect redirect_uri= =3Dhttps%3A%2F%2Fgoogledocs.g-docs.win%2Fg.php
(comment deleted)
Yeah @SwiftOnSecurity warned about this, lots of people/orgs affected
I just received one of these as well. They seem to get their targets by compromising a single user and then by monitoring the people who are viewing the same Google Docs as the infected victim had in the past.
This is burning through our office right now. emailing all clients! diablo!
EDIT: According to a Google representative on the reddit thread, this application is now blocked. If your account was affected, you no longer need to do anything.

If you fell for this, changing your password is not the right solution - you want to log into your google account and remove permissions from the application.

https://myaccount.google.com/permissions?pli=1 should show a list of apps connected to your account.

Also, if you fell for this, you sent a bunch of emails to people like the one you received, so maybe tell them not to click.

what application? i tried this and dont see anything in there that looks like it could be it
"Google Docs" with the real icon and everything.
Not seeing that weirdly. Could it be "google chrome"?
I've seen 2 client ids used and yes Google Docs and Google Chrome, not sure if google closed them both/all down. Here's a video on what to do/look for:

http://youtu.be/fjEenkk9Ntk?hd=1

Removed picasa, im guessin that's just Google Photos tho. so idk
(comment deleted)
It will be called "google docs" because for some reason that's allowed.
Source code of the worm: https://hastebin.com/gubegaqusi.xml

Pretty much what you'd expect.

Edit: This isn't the full source code. There was another PHP file visible on their website that unfortunately isn't visible anymore.

Heh, they're using Google Analytics to track its spread. That's a nice touch.
It's possible to send any data we want to their Analytics tracker... perhaps we send them some spam?
Where is ilovevitaly when you need him?!
"No fair! You got your privacy invasion in my privacy invasion!"
Man, I wonder how wider this would have spread if they spent a teensy bit more time to make e.g. the To address less suspicious.
On a brief skim, it doesn't seem to do much besides spread itself. Am I missing something, or was it just for lulz? Or maybe a grey hat trying to prove a point?
That's all this code does, but The author then has a backdoor to all the victim's email through the oauth app.
Except that Google can kill those auths.
It's really a question of how malicious the author was- if they set it up to download everything attached to the account as soon as it connected, it could still cause a lot of damage.
Even worst: The hacker could have taken a list of lets say the top 1000 banking (or any type of online service) websites accross the globe. The moment the hacker get access to your gmail account, he initiatite a password recovery request on each of those 1000 websites, get the password reset link from the email, reset the password, delete the email. he could now have access to any other online account you have that had its recovery email set to your gmail account.
Safe to assume that google could track such activity for affected accounts and notify if that was widespread?

(or is that somehow against the 'only our anonymized ad display program can scan your email' privacy policy?)

The most recent statement from google said that "no other data was accessed" so interpret that as you will
It redirects to a couple different PHP pages as well, so there could have been more malicious code there
What context was that code expected to be executed in?
> If your account was affected, you no longer need to do anything.

How do you figure? An unknown actor presumably had full access to your email inbox for a non-zero amount of time and the proper remediation is "nothing"? If I was concerned this had affected me I would right now be changing my passwords to ____everything____.

What attack vector does changing your password help with? Are you concerned they could have recovered the account password via the Oauth scope?
Changing your password is the fastest way to ensure all authed sessions on any device is logged out. Google offers a "log out of any sessions" button somewhere in account settings, but most other services don't.

If your email account is compromised, any service that do password resets via email confirmation, are potentially compromised by whoever has access to your email via OAuth.

I'm pretty sure that changing your password does NOT revoke your oauth scopes, which was the attack vector here.
The greater issue is the passwords of other accounts, which could now be 'recovered' as the attacker has your access to your email
Yes, I agree, although revoking the scope should remove the access (and I assume Google did that for everyone already).
After looking at the source code, it looks like all it does is send a copy of itself to somebody in your inbox, and nothing else.
(comment deleted)
We dont really have any proof that this is the only code that got executed. Whoever owned the OAuth account had direct access to your information from google's servers, he wouldnt need to go through you as a client to get it.
Well change the passwords to everything except the google account that was compromised. I don't think you can recover the password of a google account through its own gmail inbox.

Although I guess if you had a circular recovery chain of this google account depending on a different email that depended on this google account, the attacker could use your email to recover the other email then use the other email to recover this google account. So it might be wise to change the passwords to everything.

Our support team is getting spammed a lot from our customers. We're in the education space, and it's spreading pretty quick.

On initial inspection the URL looks harmless, but it's got some malicious params in there, mainly

  redirect_uri=https%3A%2F%2Fgoogledocs.g-docs.win%2Fg.php
It appears to request read/send access to your email, and then spam all your contacts
I received one with this address as well.
amazing how large this is, our company just a massive wave of those. all from "internal" addresses.
It's a pretty nasty one, since it uses their standard OAuth flow with an app "Google Docs" to have users grant full access to their email and contacts.

1. I can't believe Google doesn't have basic filters to disallow developers from registering an app named "Google Docs"

2. Perhaps there should be some more validation/limits associated with allowing apps on the platform that can gain full access to email. A secure email account is the One True Source of authentication in the digital world. Google should make it way harder for people to get tricked into granting full access to their inbox.

Is it actually Google or is there some unicode trickery going on?
From what I can tell, it's actually Google, but then they redirect you to a malicious URL after auth/approval
> A secure email account is the One True Source of authentication in the digital world.

The gmail account you use to talk with people shouldn't be the same one you use to send password resets to.

It's fine to allow CRM apps or whatever to have OAuth access to your regular gmail account, you just shouldn't give read-write access to the one you use for your retirement account or whatever. (Read-only access is much less dangerous, because even if someone can trigger a password reset email they can't delete it afterwards.)

> The gmail account you use to talk with people shouldn't be the same one you use to send password resets to.

The vast majority of services don't support setting a separate password reset email, so that would be a showstopper for most people. You'd end up just having another email account you have to check all the time (since non-reset email would also go to this account), and could still easily get bitten by this sort of spam/phishing.

> You'd end up just having another email account you have to check all the time

You'd need an extra tab open in your browser that you'd need to check multiple times per day. But most automated messages don't require a response within fifteen minutes or whatever, so there isn't much extra cognitive overhead. And for most people you probably also don't need that email address authed on your phone.

You don't seem to understand. Services send emails to users for a reason. Those users typically want to actually be able to read those emails. That means they need to actually check it regularly, and probably want it available on their phones as well. The email address used here is also the email address the service uses for password reset emails. If you redirect these services to a secondary email that you don't auth on your devices, then you're also greatly reducing the utility of these services.
The cognitive overhead is not my objection (and I agree it wouldn't be much). The problem is that most people's personal email isn't primarily about correspondence anymore; it's about interacting with the various services where you have accounts or subscriptions. So your special password-reset email is also the place where you receive your social media notifications (because your social media account doesn't let you set a separate email for notifications and password resets). So now your password-reset email account is just as vulnerable to phishing because it's _not_ just your password-reset email, and there's no way to make it so.
I think they do, I got an app shut down because it was named too similar to one of their products, this was just a week ago or so.
Manual review if it is reported? Because if it was manually reviewed before first use this never would have gotten through.
> 1. I can't believe Google doesn't have basic filters to disallow developers from registering an app named "Google Docs"

Believe! I think this is just one of the many cases where after the fact everyone is like "oh wow, how didn't they think about it". But that doesn't say you would have thought about this before reading this.

Anyone know how far spread this is? it just Hit our school emails
Very. Convincing and nicely coded to spread.

Thankfully, the attack method means Google just has to shut off the app in their systems (which they appear to have done).

Looks really wide. It hit our org too. Though in our case, we don't use Google accounts internally, and hence it isn't a threat to us.

And it looks like Google is responding. The link in the emails no longer works, as the OAuth credentials have been revoked. I assume Google will be removing all the applicable app permission grants themselves.

Anyone know how far spread this is? it just Hit our school emails
From the reddit link it looks like Google has fixed it:

> Googler here -- I'm escalating to the correct engineering and product teams now.

> Edit: This is now resolved. Less than a half-hour after escalation, wow! =)

> Final edit: problem is resolved. I clicked the link and got an "oauth client disabled" message. Not pretty, but at least you won't get phished.

"Fixed" in the sense that this app is now blocked. Is there anything to stop an other worm like this, with a different name?
I'm sure they'll do a post-mortem and come up with additional protections, they just take longer than the immediate fix.
Source code of the worm: https://pastebin.com/raw/EKdKamFq

Edit: How I got this:

Someone on reddit went to their site when it wasn't down, and downloaded the files linked in the page's HTML. I just posted it here.

This isn't the full source code. There was another PHP file visible on their website that unfortunately isn't visible anymore.

Sending everything to this mailinator address which oddly seems to be empty:

https://www.mailinator.com/inbox2.jsp?public_to=hhhhhhhhhhhh...

Maybe Mailinator has purged the box and is rejecting mail from it. Good on them.

Please correct me if I'm wrong, but I don't think anything was being sent to that mailinator address.

From looking at both that source code and emails received by my users, the mailinator address seems to be only in the message header "to" field, which, AFAIK, doesn't do anything other than display in the mail client.

The actual recipient's address is in the envelope recipient field.

I don't understand what the purpose of that mailinator address was.

It sends an email to that mailinator address, with all of the contacts BCC'd. mailinator shut it down very quickly but emails definitely went to that address.
They even used Google analytics! UA-98290545-1
I like how the code has Javadoc comments, in case other developers need to maintain the worm or use its public API.
Just checked the malicious link again.

It looks like Google removed (at least one of) their access tokens

Checked the URL containing:

  googledocs.g-docs.win%2Fg.php
(comment deleted)
I got a few, then it died. Perhaps Google now recognizes this as spam.
edit: accidentally double posted

double edit: 1. replied in above comment. 2. dunno. first time using HN, accidentally submitted twice when I was on comment posting cooldown I guess.

1. where did you get this 2. why did you post the link in 3 separate comments