If you have been paying attention to cyber security news in May, you will have heard of the widespread phishing attack that hit Google Drive users. A phishing worm was sent out to thousands of users, inviting them to open a seemingly Google Doc document.
Users were then asked to grant the app permission to access Google account details in order to open the document. It was pretending to be Google Docs, which is why users did not think it was suspicious, when in reality it was a phishing scam used to get access to private information. If you gave it permission, it would have sent out the same invite to all your contacts. This is just one example of such scams and Google has rolled out a new security feature that would make it harder for criminals to trick users.
After the May attack, Google already took measures to make similar attacks more difficult to perform by making developer identify guidelines and registration processes more strict. To further protect users, Google is now going to warn you when an unverified app will try to get access to your data. When an unverified app that uses Google’s OAuth is asking you to log in using your Google account, a warning will pop-up, informing you that the app has not been verified. You can proceed if you wish but the company warns you that you should only do so if you fully trust the app. If you press Advanced and then ‘Go to’ on the warning, you will be able to grant the app permission by typing ‘continue’ in the field that appears. It will only warn you about new apps for now but eventually it will extend to all existing apps as well.
This is much more than just a simple warning that some app may not be safe. There will be no accidental clicks to grant permission and since users will be asked to type in a word, they will be able to make more informed decisions and take the warning seriously. The screen will also display the name of the app as well as the developer, so users who pay attention will not fall for scams that use legitimate app names, as was the case with the Google Docs phishing scam.
This a good move by Google to ensure that users do not become victims of scams but it will only work if users take the warning seriously and do not go around granting permissions left and right. There is only so much a company can do. Users also need to take responsibility to ensure they are safe.
References
- New security protections to reduce risks from unverified apps. Google Developers Blog
- Google strengthens security to keep you from getting phished. Money.cnn.com