How Google Is Stopping Phishing Attacks From Unverified Apps

Photo: AP

Google is stepping up its effort to block phishing attempts that use app permissions to gain access to users’ Gmail accounts. These phishing attacks invite users to grant an app permission to manage their Google account—which lots of safe apps do, too—and then exploit those permissions to take over an account or send spam.

To stop these kinds of attacks, Google is adding a screen to the permissions process that will warn users if the app is new or unverified—signs that it might be linked to a phishing attempt.


“The ‘unverified app’ screen precedes the permissions consent screen for the app and lets potential users know that the app has yet to be verified. This will help reduce the risk of user data being phished by bad actors,” Google’s Naveen Agarwal and Wesley Chun wrote in a blog post announcing the change.

The warning looks a little bit like Chrome’s warning when a site’s HTTPS encryption isn’t trusted. It requires users to click into advanced settings before they can commit to granting permissions to the app. Here’s what the warning will look like:

Courtesy of Google

Google recently started requiring new apps to go through a verification process to assess possible risks before being approved. In addition to the new warning system, Google will require some existing apps to undergo the verification process.

The warnings and reviews are intended to shore up an area of vulnerability for Gmail users, who may not be aware of the security risks that come with granting permissions to untrusted apps. These kinds of OAuth exploits are on the rise, so it’s good to see Google working to prevent them.

Source :

How Google Is Stopping Phishing Attacks from Unverified Apps
Google Apps Script vulnerability could have opened the door for malware
Google Intros Unverified App Warnings To Make Up For OAuth's Flaws
Google Docs Phishing Scam: Email Attack Hijacks User Accounts By Posing As Google Docs
North Korean malware targets defectors and their supporters
Google phishing attack was foretold by researchers—and it may have used their code
The real McMafia: How organised crime moved online
Google Docs Phishing Scam: Don’t Open This Link In Your Gmail
Facebook, Google, Snapchat and other tech leaders are enhancing their app security as Apple battles the FBI
How Google Is Stopping Phishing Attacks from Unverified Apps