Google takes additional action against phishing by web apps

Google has announced an additional measure to protect users against phishing via web applications. The search giant is now showing a warning if users are using an application that has not yet gone through a verification process.

In May, Google introduced that process, which involves a risk analysis of applications that request user data. Based on that analysis, a manual investigation can take place. Until that investigation was closed, users were presented with an error message when they tried to use such an app. This error message will now be replaced with a screen with an “unverified app” warning.

There, users must indicate that they trust the developer before continuing. Google has chosen not to make this possible with the push of a button, but to create a slightly higher barrier. For example, users must manually type ‘continue’ in a displayed prompt before the application is granted the necessary permissions. The screen is also shown for so-called Apps Scripts that want OAuth access to a user account. The current change does not apply to all web applications, but only apps that use OAuth. For example via Google’s Sign In.

The change follows a number of previous changes made by Google in response to a phishing campaign that came to light in May. An email was used in which users were invited to open a Google Docs document. However, clicking the link opened an app that just used the name “Google Docs” and showed the Drive logo. This third-party app gained access to the victim’s email account, such as emails and contacts. This allowed the phishing email to quickly spread among victims’ contacts.