See the bottom of article for real-time updates on this developing story.
Today I received a Google Docs “invite” from a friend of mine, and after investigating, I’ve learned that lots of people are getting fake Google Docs invites. The Twitter-verse is ablaze right now with reports of people getting these:
So what is the scam and how it is it spreading so quickly? You get an email from someone you actually know that looks like:
Yolanda Oster is a real friend of mine, making this email look even more authentic. If you click the Open in Docs button, you’re taken to a page on Google’s server, asking for permissions to your Inbox from an app called “Google Docs”. The tricky part is that “Google Docs” is not the Google Docs you know and love.
It’s a fake app that is named Google Docs, but it’s actually a guy named Eugene Pupov trying to trick you. Click the blue “Google Docs” link to get more info on the app:
Since the app will allow access to “manage your contacts” and “read, send, delete, and manage email”, it gives the attacker full access to your Inbox. It also allows the attacker to propagate the scam by sending the same email to all of your contacts.
I’m an expert at this because GMass requires the same type of access in order to send your mail merge campaigns through your Gmail account. Of course the difference is that GMass is a legitimate app providing a legitimate service, whereas firstname.lastname@example.org is trying to gain access to your account for far more sinister reasons.
Here’s what happens if you click ALLOW:
You’re taken to a page that looks like an Error page, but see the highlighted part? That’s an access token that’s likely been saved by the hacker, and that access token can be used to read the contents of your entire Gmail account.
What do you do if you already gave up access to your account?
Go here to view the apps connected to your Google Account and remove the fake “Google Docs”.
Should you change your password?
Unfortunately, changing your password or enabling two-factor authentication will have no effect. The hacker has his own way into your Gmail account, and that is via the OAuth 2.0 access token shown above.
Who is Eugene Pupov and how can you get revenge?
Eugene Pupov is likely not a real person. Someone did, however, create a Google account with the email address email@example.com to create the fake “Google Docs” app. I suspect the FBI will track down the real perpetrator in short order. Google surely logs the IP addresses of everyone that creates a Google Developer account, which would have been necessary to create the fake app.
What are the best and worst case scenarios if you granted access to the fake Google Docs app?
It looks like Google has now removed the app, so if you haven’t fallen victim yet, you’re probably safe. If you did grant access though, even for a short time, it’s possible that the hacker retrieved the entire contents of your Gmail account and Contacts. In my expert opinion though, it’s unlikely that the attacker is planning on using that data in a malicious way. So, for example, if you have passwords and bank account logins stored in your email account, as many people do as a means of remembering and being able to search for their own logins, it’s likely harm won’t come your way, simply because that’s not the intent of most hackers. Most hackers just want to see if they can get away with perpetrating a scam. And, every major organization is now on high alert and will be looking for suspicious logins because of the pervasiveness of this news story.
How was this possible in the first place?
Any software developer can build an app which connects to users’ Google accounts and manages data. In fact, GMass is one such app, as is my other Gmail extension, Wordzen. One simply needs to create an app on the Google Developers Console, create an OAuth 2.0 sign-in, and get people to click a link that grants OAuth 2.0 access from the app to your Google account. The developer can specify what permissions he wants his app to request, and in this case, the fake Google Docs app requested permissions to manage your mail and manage your Contacts. A similar widespread story broke last week, when it was revealed that Unroll.me was selling user data to Uber. Unroll.me accesses your Gmail account using the same OAuth 2.0 mechanism that this malicious app does.
Update 3:46 PM CST: Google has removed the app. Meaning, if you haven’t already been tricked, you are safe, unless a copycat app emerges.
Update 4:14 PM CST: If you received the email in your Gmail or G Suite account, Google is now flagging the message as dangerous and has disabled the link.
Update 4:46 PM CST: 29 minutes ago Google made an official statement on the issue stating they have rectified the issue:
Ajay is the founder of GMass and has been developing email sending software for 20 years.