In response to recent attacks where hackers abused Google’s OAuth services to gain access to Gmail accounts, the company will review new web applications that request Google users’ data.
To better enforce its policy regarding access to user data through its APIs (application programming interfaces), which states that apps should not mislead users when presenting themselves and their intentions, Google is making changes to the third-party app publishing process, its risk assessment systems and the consent page it displays to users.
Google is an identity provider, which means other web apps can use Google as the authentication mechanism for users accessing the app. Apps use the OAuth protocol to do this. These apps can also use Google’s APIs to send users requests for information stored in Google’s services.
Last week, a large number of users received a well-crafted phishing email that asked them to view a document in Google Docs. Clicking on the link redirected them to a Google OAuth consent page that said an application called Google Docs wanted access to their contacts and Gmail accounts.
The reason this spoofing attack worked is that there was no mechanism to prevent a third-party app registered to Google’s OAuth service from using the same name as one of Google’s own apps—or the name of another legitimate third-party app.
Since the attack, Google has strengthened its risk assessment for new apps and made other changes to better detect such abuse. So app developers might see error messages when registering new applications or modifying existing ones in the Google API Console, Firebase Console, or Apps Script editor, the Google Identity Team said in a blog post.
On top of this, based on the results of the enhanced risk assessment, some web applications will need to undergo a manual review and approval process that could take from three to seven business days.
“Until the review is complete, users will not be able to approve the data permissions, and we will display an error message instead of the permissions consent page,” the Google identity team said.
For now, developers will only be able to request a review during the application testing phase, but in the future, Google will also allow review requests during the registration phase.
Until the app is reviewed, developers will be able to continue testing their app using their own account, as well as to add additional testers.