For almost six years, Google knew about the exact technique that someone used to trick around one million people into giving away access to their Google accounts to hackers on Wednesday. Even more worrisome: other hackers might have known about this technique as well.
On October 4, 2011, a researcher speculated in a mailing list that hackers could trick users into giving them access to their accounts by simply posing as a trustworthy app.
This attack, the researcher argued in the message, hinges on creating a malicious application and registering it on the OAuth service under a name like "Google," exploiting the trust that users have in the OAuth authorization process. OAuth is a standard that allows users to grant websites or applications access to their online email and social networking accounts, or parts of their accounts, without giving up their passwords. It is commonly used throughout the web, and typically shows up as a menu that lets you select which of your personal accounts (such as your Google or Facebook account) you want to use to sign into or connect to another service.
Read more: Would You Click on These Fake Gmail Alerts?
"Imagine someone registers a client application with an OAuth service, let's call it Foobar, and he names his client app 'Google, Inc.'. The Foobar authorization server will engage the user with 'Google, Inc. is requesting permission to do the following,'" Andre DeMarre wrote in the message sent to the Internet Engineering Task Force (IETF), the independent organization responsible for many of the internet's operating standards.
"The resource owner might reason, 'I see that I'm legitimately on the https://www.foobar.com site, and Foobar is telling me that Google wants permission. I trust Foobar and Google, so I'll click Allow,'" DeMarre concluded.
If that sounds really familiar, is because that's pretty much exactly how someone tricked around one million people into giving up full access to their Google accounts to a malicious app named "Google Doc." The viral, "dynamite phishing" scheme ripped through the internet on Wednesday for around an hour before Google shut down the malicious app and its infrastructure. (We're calling it "dynamite phishing" because it's basically the digital equivalent of the real thing—a way to catch a bunch of users with a single blast.)
As it turns out, DeMarre claims he warned Google directly about this vulnerability in 2012, and suggested that Google address it by checking to see ensure the name of any given app matched the URL of the company behind it. In a Hacker News post, DeMarre said he reported this attack vector back then, and got a "modest bounty" for it.
"I'm a little surprised it has taken so long for a worm like this one to get attention," DeMarre told Motherboard.
A few months after he reported the issue, DeMarre said Google told him the following: "We're deploying some abuse detection and reactive measures to deal with impostors that might try to abuse this sort of attack. Given this, we do not intend to perform validation that the URL matches the branding information."
DeMarre criticized Google's decision not to perform the URL validation, which was one of his suggestions to mitigate the risks. The researcher also theorized this could be easily turned into a worm, foreshadowing this week's attack.
"[If the] service is a social platform, the client app might distribute links using resource owners' accounts with the access tokens it has acquired, becoming a sort of worm," DeMarre wrote.
Fast forward five years, and someone mimicked DeMarre's technique, creating a malicious Google Doc app that tricked millions. A similar technique has also been previously used by the Russian hacking group known as APT28 or Fancy Bear. It's possible someone else used the same technique in the last five years, without getting caught. The reason Wednesday's dynamite phishing campaign was caught and disabled quickly was because it spread so quickly and affected major media companies, which rapidly reported on the news. It effect, it was so extremely virulent that its success contributed to its downfall.
Google was lauded for its quick response to the mass phishing email, disabling the app a little over an hour after the first reports were published online. But why did the company let a random developer create an app called "Google Doc" in the first place? Especially considering they had known about this attack vector for five years?
"To not even filter names of your own products out seems ripe picking for imposter apps," said another Hacker News user.
This story has been updated to include DeMarre's comments.
Subscribe to Science Solved It, Motherboard's new show about the greatest mysteries that were solved by science.