<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1822615684631785&amp;ev=PageView&amp;noscript=1"/>

Beware! New Google Docs scam seeks to access your entire Gmail account

See the bottom of article for real-time updates on this developing story.

Today I received a Google Docs “invite” from a friend of mine, and after investigating, I’ve learned that lots of people are getting fake Google Docs invites. The Twitter-verse is ablaze right now with reports of people getting these:

So what is the scam and how it is it spreading so quickly? You get an email from someone you actually know that looks like:

Yolanda Oster is a real friend of mine, making this email look even more authentic. If you click the Open in Docs button, you’re taken to a page on Google’s server, asking for permissions to your Inbox from an app called “Google Docs”. The tricky part is that “Google Docs” is not the Google Docs you know and love.

It’s a fake app that is named Google Docs, but it’s actually a guy named Eugene Pupov trying to trick you. Click the blue “Google Docs” link to get more info on the app:

Since the app will allow access to “manage your contacts” and “read, send, delete, and manage email”, it gives the attacker full access to your Inbox. It also allows the attacker to propagate the scam by sending the same email to all of your contacts.

I’m an expert at this because GMass requires the same type of access in order to send your mail merge campaigns through your Gmail account. Of course the difference is that GMass is a legitimate app providing a legitimate service, whereas eugene.pupov@gmail.com is trying to gain access to your account for far more sinister reasons.

Here’s what happens if you click ALLOW:

You’re taken to a page that looks like an Error page, but see the highlighted part? That’s an access token that’s likely been saved by the hacker, and that access token can be used to read the contents of your entire Gmail account.

What do you do if you already gave up access to your account?

Go here to view the apps connected to your Google Account and remove the fake “Google Docs”.

Remove the fake “Google Docs” app from the list of apps connected to your Google account.

Should you change your password?

Unfortunately, changing your password or enabling two-factor authentication will have no effect. The hacker has his own way into your Gmail account, and that is via the OAuth 2.0 access token shown above.

Who is Eugene Pupov and how can you get revenge?

Eugene Pupov is likely not a real person. Someone did, however, create a Google account with the email address eugene.pupov@gmail.com to create the fake “Google Docs” app. I suspect the FBI will track down the real perpetrator in short order. Google surely logs the IP addresses of everyone that creates a Google Developer account, which would have been necessary to create the fake app.

What are the best and worst case scenarios if you granted access to the fake Google Docs app?

It looks like Google has now removed the app, so if you haven’t fallen victim yet, you’re probably safe. If you did grant access though, even for a short time, it’s possible that the hacker retrieved the entire contents of your Gmail account and Contacts. In my expert opinion though, it’s unlikely that the attacker is planning on using that data in a malicious way. So, for example, if you have passwords and bank account logins stored in your email account, as many people do as a means of remembering and being able to search for their own logins, it’s likely harm won’t come your way, simply because that’s not the intent of most hackers. Most hackers just want to see if they can get away with perpetrating a scam. And, every major organization is now on high alert and will be looking for suspicious logins because of the pervasiveness of this news story.

How was this possible in the first place?

Any software developer can build an app which connects to users’ Google accounts and manages data. In fact, GMass is one such app, as is my other Gmail extension, Wordzen. One simply needs to create an app on the Google Developers Console, create an OAuth 2.0 sign-in, and get people to click a link that grants OAuth 2.0 access from the app to your Google account. The developer can specify what permissions he wants his app to request, and in this case, the fake Google Docs app requested permissions to manage your mail and manage your Contacts. A similar widespread story broke last week, when it was revealed that Unroll.me was selling user data to Uber. Unroll.me accesses your Gmail account using the same OAuth 2.0 mechanism that this malicious app does.

More Resources

Every major tech blog is covering this story today, however, none are doing it as thoroughly as I have in my post! Still though, read more about the scam on Gizmodo, TechCrunch, and The Verge.


Update 3:46 PM CST: Google has removed the app. Meaning, if you haven’t already been tricked, you are safe, unless a copycat app emerges.

Update 4:14 PM CST: If you received the email in your Gmail or G Suite account, Google is now flagging the message as dangerous and has disabled the link.

Update 4:46 PM CST: 29 minutes ago Google made an official statement on the issue stating they have rectified the issue:

    1. I got hit with identity theft because of this. i am getting credit card trying to be open. they are all in everything of mine. he cannot get into my bank account right?

  1. You always do a great job of explaining things in a way that non-computer scientists/developers would understand, and I appreciate that. I’ve sent this article to all my older family members so they can be wary of things like this.

  2. Hi Ajay,
    You have done a great job.I didn’t Know about this email scam is roaming around us before I got your email.Thank you for the information.Definitely, I’m gonna share it with my colleagues and friends

  3. Thank you Very Much Ajay for your Valuable Time to enlighten all of us of this Fake App intentions and how to Avoid getting trapped !


  4. Thanks for the information Ajay. I have been tricked similar way but not with the Google Doc, my account was logged in twice around 12:00 AM IST on an alternate day until I have changed the password, is this something related to this?

  5. Hi Ajay

    It is very much helpful. I can’t even explain my satisfaction & obligation towards you, in words. No other people could do the way you did. You are simply awesome.

Leave a Reply

Your email address will not be published. Required fields are marked *

Try GMass today

It only takes 30 seconds to install it!

Install Now GMass requires Chrome
Share This