Ask HN: Google Doc email virus?
We just received multiple "google doc shares" that seemed sketchy and were not sent by the claimed sender.
They came from different companies that have no connection to each other, I assume others are seeing them too right about now. Anyone know whats up?
219 comments
[ 3.4 ms ] story [ 251 ms ] thread"&redirect_uri=3Dhttps%3A%2F%2Fgoogledocs.docscloud.info%2Fg.php&customparam=3Dcustomparam"
This is what the attack actually looks like: https://twitter.com/zachlatta/status/859843151757955072
I guess that probably just means someone working there got it though.
If you fell for this, changing your password is not the right solution - you want to log into your google account and remove permissions from the application.
https://myaccount.google.com/permissions?pli=1 should show a list of apps connected to your account.
Also, if you fell for this, you sent a bunch of emails to people like the one you received, so maybe tell them not to click.
http://youtu.be/fjEenkk9Ntk?hd=1
Pretty much what you'd expect.
Edit: This isn't the full source code. There was another PHP file visible on their website that unfortunately isn't visible anymore.
https://www.mailinator.com/inbox2.jsp?public_to=hhhhhhhhhhhh....
Maybe Mailinator has purged the box and is rejecting mail from it. Good on them.
(or is that somehow against the 'only our anonymized ad display program can scan your email' privacy policy?)
How do you figure? An unknown actor presumably had full access to your email inbox for a non-zero amount of time and the proper remediation is "nothing"? If I was concerned this had affected me I would right now be changing my passwords to ____everything____.
If your email account is compromised, any service that do password resets via email confirmation, are potentially compromised by whoever has access to your email via OAuth.
Although I guess if you had a circular recovery chain of this google account depending on a different email that depended on this google account, the attacker could use your email to recover the other email then use the other email to recover this google account. So it might be wise to change the passwords to everything.
On initial inspection the URL looks harmless, but it's got some malicious params in there, mainly
It appears to request read/send access to your email, and then spam all your contacts> We're investigating reports of an issue with Google Drive. We will provide more information shortly.
https://www.google.com/appsstatus#hl=en&v=issue&sid=4&iid=c7...
1. I can't believe Google doesn't have basic filters to disallow developers from registering an app named "Google Docs"
2. Perhaps there should be some more validation/limits associated with allowing apps on the platform that can gain full access to email. A secure email account is the One True Source of authentication in the digital world. Google should make it way harder for people to get tricked into granting full access to their inbox.
https://github.com/codebox/homoglyph
http://homoglyphs.net/
The gmail account you use to talk with people shouldn't be the same one you use to send password resets to.
It's fine to allow CRM apps or whatever to have OAuth access to your regular gmail account, you just shouldn't give read-write access to the one you use for your retirement account or whatever. (Read-only access is much less dangerous, because even if someone can trigger a password reset email they can't delete it afterwards.)
The vast majority of services don't support setting a separate password reset email, so that would be a showstopper for most people. You'd end up just having another email account you have to check all the time (since non-reset email would also go to this account), and could still easily get bitten by this sort of spam/phishing.
You'd need an extra tab open in your browser that you'd need to check multiple times per day. But most automated messages don't require a response within fifteen minutes or whatever, so there isn't much extra cognitive overhead. And for most people you probably also don't need that email address authed on your phone.
Believe! I think this is just one of the many cases where after the fact everyone is like "oh wow, how didn't they think about it". But that doesn't say you would have thought about this before reading this.
https://motherboard.vice.com/en_us/article/massive-gmail-goo...
https://www.theverge.com/2017/5/3/15534768/google-docs-phish...
https://blog.malwarebytes.com/cybercrime/2017/05/google-docs...
Thankfully, the attack method means Google just has to shut off the app in their systems (which they appear to have done).
And it looks like Google is responding. The link in the emails no longer works, as the OAuth credentials have been revoked. I assume Google will be removing all the applicable app permission grants themselves.
https://www.google.com/appsstatus#hl=en&v=issue&sid=4&iid=c7...
https://www.reddit.com/r/google/comments/692cr4/new_google_d...
https://www.theverge.com/2017/5/3/15534768/google-docs-phish...
> Googler here -- I'm escalating to the correct engineering and product teams now.
> Edit: This is now resolved. Less than a half-hour after escalation, wow! =)
> Final edit: problem is resolved. I clicked the link and got an "oauth client disabled" message. Not pretty, but at least you won't get phished.
Edit: How I got this:
Someone on reddit went to their site when it wasn't down, and downloaded the files linked in the page's HTML. I just posted it here.
This isn't the full source code. There was another PHP file visible on their website that unfortunately isn't visible anymore.
https://www.mailinator.com/inbox2.jsp?public_to=hhhhhhhhhhhh...
Maybe Mailinator has purged the box and is rejecting mail from it. Good on them.
From looking at both that source code and emails received by my users, the mailinator address seems to be only in the message header "to" field, which, AFAIK, doesn't do anything other than display in the mail client.
The actual recipient's address is in the envelope recipient field.
I don't understand what the purpose of that mailinator address was.
It looks like Google removed (at least one of) their access tokens
Checked the URL containing:
double edit: 1. replied in above comment. 2. dunno. first time using HN, accidentally submitted twice when I was on comment posting cooldown I guess.