Recently, there have been several high-profile attacks that relied on Google’s user data, the most recent of which was a large-scale phishing attack which attempted to gain access to Gmail accounts by tricking users into clicking on a poisoned Google Doc file.
This attack succeed in large part because there was no mechanism to keep a third-party app registered to Google’s OAuth service from using the same name as one of Google’s own, native apps, or the name of some other legitimate app, for that matter.
This gave hackers a large, unlocked door they could simply walk right through.
Since the phishing attack, the company has greatly strengthening its risk assessment protocol for all new apps, and made additional changes designed to better track and identifypatterns of abuse. As a result of these changes, app developers may see error or warning messages they’ve not encountered before.
The company is also bulking up on the number of manual code reviews they perform, and until the manual review is complete, users won’t be able to approve data permissions – they’ll simply get an error message instead.
Obviously, this is not a foolproof system. We can certainly expect that with sufficient skill, determination and a bit of luck, a hacker will still be able to circumvent the more robust protections.
Even so, Google has the technical know-how and pockets deep enough to make hackers’ lives very interesting.
While that’s good news, it has a potentially dark side. Hackers tend to go after the low hanging fruit and soft targets. Google’s latest changes make their infrastructure less appealing, which means your company could be next.
How confident are you in your digital security system? If you feel it’s lacking, call us today and speak with one of our talented team members. We’re more than happy to help take your data security to the next level.