In an OAuth attack, hackers can get access to your account and you wouldn't even need to type a thing.
It's a phishing scheme that even multi-factor authentication and changing your password won't fix.
On Wednesday, a massive Google Docs phishing scheme spread across Gmail, hijacking people's accounts and spamming itself to the victim's contact list. Google quickly shut down the attack, which affected about 0.1 percent of Gmail's users.
Even at that low number, with more than 1 billion users, that's still at least 1 million people affected by this attack. And the typical phishing detection that Gmail offers couldn't block it because the attack didn't even need victims to type in their passwords.
The phishing scam relied on OAuth exploitation, a rare scheme that exposed itself to the world on Wednesday. OAuth, which stands for Open Authorization, lets apps and services "talk" to each other without logging into your accounts. Think about how your Amazon Alexa can read off your Google Calendar events, or how your Facebook friends can see what song you're listening to on Spotify. In the last three years, apps that use OAuth jumped from 5,500 to 276,000, according to Cisco Cloudlock.
"Now that this technique is widely known, it's likely to pose a significant problem -- there are so many online services which use OAuth and it's difficult for them to fully vet all of the third-party applications out there," said Greg Martin, CEO of cyber security firm Jask in an email.
Full story in article.