Google is making it even harder to accidentally install a malicious plugin. Today, the company announced new changes to the way Google services handle plugins, adding new warnings for users and a more involved verification system for apps. The result is more scrutiny on apps plugging into Google services, and more active involvement from Google when an app seems suspicious.
The changes come after a sophisticated phishing worm hit Google Drive users in May, masquerading as an invitation to collaborate on a document. The malicious plugin was not controlled by Google, but because it was named “Google Docs,” the app was able to fool many users into granting access. Once granted access, it sent a new request to everyone in the target’s contact list, allowing the app to spread virally. Ultimately, the app was blacklisted by Google, but not before it reached tens of thousands of users.
Today, such an attack would be much harder to perform. Shortly after the worm, Google strengthened its developer registration systems, making it harder for anonymous actors to plug unknown apps into Google accounts. The announcement today takes that system even farther, warning users whenever an unverified app requests access to user data.
Malicious or compromised plugins remain a significant security risk for Google and other platforms, as a string of recent incidents have demonstrated. The security group OurMine has specialized in those attacks, posting false messages from accounts controlled by Sundar Pichai, Jack Dorsey, and Sony Music, which tweeted a false report of Britney Spears’ death.
In each case, OurMine gained access by compromising a third-party application which was authorized to post to the targeted account. An active social media user might have hundreds of plugins authorized to access their Twitter or Facebook account, giving hackers hundreds of potential ways in. Users can protect against these attacks by monitoring authorized applications, and revoking access for any apps they no longer use.