Google Docs users were hit by a widespread phishing attempt earlier today, allowing a sophisticated attacker to obtain contact lists and access Gmail accounts to spread spam messages widely. In a statement to The Verge, Google has confirmed it has now fixed the phishing attack. “We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” says a Google spokesperson. “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again.”
It’s not immediately clear how an attacker was even able to execute such a sophisticated phishing attempt. Attackers took advantage of a weakness, that may or may not have existed for some time, in Google’s system that allowed developers to create a non-Google web app with the “Google Docs” name. The phishing emails spread almost like an old-style computer worm, propagating automatically after the fake web app stole contact lists from unsuspecting Gmail users who were sent emails that looked like genuine invites to edit Google documents.
Either way, Google has fixed this problem and is now altering its systems to prevent developers from abusing its authentication systems to spoof Google’s own products and services. What we still don’t know is just how sophisticated this attack was. The attackers were able to automate contact collection to spread the attack, and the fake web app also requested access to read, send, delete, and manage Gmail accounts.
In a statement issued late Wednesday night, Google assured Gmail users that, beyond contact info, no other sensitive data was gleaned from the attack and no further action is necessary to protect accounts:
We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.
Update at 10:49PM ET, 5/3: Added new statement from Google.