Since a phishing scam perpetrated in May that may have targeted millions of Gmail and Google Docs users, Google has introduced a number of security changes aimed at preventing a repeat.
Announced yesterday, one of the latest updates will pop up an "unverified app" warning when user systems attempt to access new apps or Google Apps Scripts that haven't yet been reviewed by Google. The warning will give users the option to either cancel their actions or proceed by acknowledging they are familiar with the developers of the apps.
By allowing users to launch app actions anyway, the new warning system will also help developers test their applications before they've completed Google's verification process.
Google continues to make such security tweaks to prevent a repeat of this spring's Google Docs phishing scam. The scam sent users what appeared to be a legitimate message from one of their Gmail contacts, but then linked to an unverified third-party app rather than to Google Docs.
"Over the past few months, we've required that some new Web applications go through a verification process prior to launch based upon a dynamic risk assessment," Identity team member Naveen Agarwal and G Suite developer advocate Wesley Chun wrote in a blog post yesterday. "Today, we're expanding upon that foundation, and introducing additional protections: bolder warnings to inform users about newly created web apps and Apps Scripts that are pending verification."
Agarwal and Chun added that Google plans to expand its apps verification process over the coming months, and to extend the pop-up warnings to existing apps as well.
The "unverified app" warning will also show up before an Apps Script that hasn't yet been reviewed by Google is allowed to launch. Developers use Google's Apps Script language to automate tasks that connect Google products to third-party services and apps. For example, those tasks can include the launching of OAuth, which is the Open Authorization standard that lets online users access third-party services without having to re-enter their account passwords.
May's Google Docs phishing scam presented users with a legitimate OAuth permissions page, but did not enable access to Google Docs but rather to a suspicious third-party app with the same name.
App Market Keeps Growing -- So Do Email Attacks
As of last month, some 54.3 percent of all emails were spam, according to a recent online security update from Symantec. And in its Q1 2017 Quarterly Threat Report, the security firm Proofpoint reported a rising use of malicious links rather than malicious attachments in targeted email attacks.
The app market, meanwhile, is also expanding rapidly. Last year, app downloads from Google Play for Android and from Apple's iOS App Store shot past 90 billion, according to the 2016 Retrospective from the application-focused analyst App Annie.
Google said it plans to expand efforts to protect users from phishing and other malicious attacks by rolling out verification requirements for existing apps over the coming months. Agarwal and Chun noted that developers could help prepare for that by ensuring that their contact information and OAuth consent screen configurations are up to date.
After May's phishing attack, Google also added OAuth apps whitelisting for enterprise users of its G Suite productivity tools. The new whitelisting lets system administrators specify which third-party apps are allowed to access their organizations' user data.
Posted: 2017-07-20 @ 12:00am PT
You can avoid falling victim to phishing scams if you install the ScamBlockPlus Chrome extension.