Thread: OAuth Vulnerability Opens Google Customer Data to Attack

A newly discovered OAuth Session Fixation Attack creates problems for every organization which uses OAuth, including Google.

According to Using OAuth with the Google Data APIs:

Recently, all of the Google Data APIs adopted support for OAuth, an open protocol that aims to standardize the way desktop and web applications access a user's private data.

Looks for fairly sophisticated phishing attacks to start appearing in the near future.

But these new phishing attacks won't be as easy to spot as the phishing attacks that we're trained ourselves to ignore.

Quoting from the vulnerability explanation:

The attacker then uses social engineering to trick a victim into following that link (the authorization URI from the redirection). This can be as simple as a blog post with a review of the application, inviting people to try it out. When someone clicks on that link, they are sent to the provider to authorize access.

Since this is what he wanted to do, the victim will not realize that he should have started at the application itself, and will continue to sign into the provider. Because of how we train people to look for phishing attacks, even an educated user will notice that he is at the right place.

The provider will then ask the user to grant access, identifying the right application. This will increase the comfort level of the user, since so far, everything checks out.