Last May, around one million Gmail and G Suite users using SAML single sign-on (SSO) were targeted by a clever type of phishing attack that Google seemed keen for everyone to know it had shut down within hours.
The speed of response was reassuring but also, in another way, unnerving. What was going on that Google felt it necessary to react in such an all-hands-on-deck way?
During the deceptively simple attack, G Suite users received an invitation to view what appeared to be a Google Doc file.
The request was convincing because it came from a known Gmail contact and the first part of the URL made it look as if it was hosted on Google’s platform.
Except that anyone clicking on the invite was secretly being logged into an account set up by the attackers, at which point they would have temporarily lost control over their G Suite email.
Behind the scenes, the attackers had set up a rogue Gmail or G Suite account, registered some applications to this through OAuth on Google’s cloud (available on a free trial!), and redirected access via an external server hosting an application under malicious control.
The attackers were simply exploiting legitimate permissions within OAuth and the way these help SSO to work, bypassing supposedly watertight security such as two-step verification along the way.
Not having entered any credentials, users might have considered what had happened innocuous until everyone in their contacts list started receiving emails from them asking that they click on the same bogus Docs file.
This was like phishing where the victim sees the hook but not the invisible line reeling them in.
The best answer Google can come up with to the problem will arrive from 7 May when G Suite users logging in using Chrome via SAML single sign-on (SSO) providers will start seeing a new prompt the first time they log in.
Once past the provider login, a ‘verify it’s you’ prompt will pop up to ask users whether they recognise the account they are being signed into.
Said Google:
This new screen adds that protection and reduces the probability that attackers successfully abuse SAML SSO to sign users in to malicious accounts.
This won’t impact individuals who sign in to G Suite services directly and those who use G Suite or Cloud Identity as their identity provider. The screen is also not shown on devices running Chrome OS.
The security depends on using the Chrome browser but should only happen once for a particular SSO provider.
It’s not a perfect defence because it’s still possible some users might be taken in by a phishing attack aimed at them in this way, but it’s certainly handy insurance.
With all the fuss over Gmail’s new privacy features it would be easy to miss security upgrades like this because they’re out of sight and mind.
Ironically, a motivation for moving to cloud email systems such as G Suite and Microsoft’s Office 365 is so that organisations can hand over at least part of the security job to the provider.
Last May’s attack serves as a warning that the need for diligence is never something organisations should try to outsource.