Google's identity services under review following OAuth exploit in Gmail attack

Earlier in the month, there was a sophisticated attack that focused on stealing access to a user's Google account rather than just obtaining the username and password, by the abuse of the OAuth protocol, a means for internet services like Google, Twitter and Facebook to connect with third-party apps.

The attack was made possible because of error in the mechanism to prevent a third-party app registered to Google’s OAuth service from using the same name as one of Google’s own apps or the name of another legitimate app.

In response, Google's OAuth services is currently under review, so users will not be able to approve the data permissions, rather an error message will be displayed instead of the permissions consent page.

Google intends to strengthen its risk assessment for new apps and make some new changes to better detect such abuse in the future.

As a result developers might see error messages when registering new applications or modifying existing ones in the Google API Console, Firebase Console, or Apps Script editor.

Developers will be able to request a review during the application testing phase, and until the app is reviewed, they can only be able to continue testing their app using their own account, as well as to add additional testers.

And based on the results of the enhanced risk assessment, some web applications may need to undergo a manual review and approval process that could take several days to complete.
Next Post »