The phishing attack launched against Gmail accounts this week represents the opening of a new front in the cybersecurity war that strikes at the heart of the API economy.
Unlike other phishing attacks that require end user to log into a fake web site to give up their password, the phishing attack launched this week relied on a fake version a Google Docs was created by cybercriminals. The cybercriminals then asked end users for permission to read, write and access an end user’s emails stored on Gmail. Once that was given the attackers made use of tokens provided by the OAuth authentication protocol to access the user’s accounts without the end user ever having to give up their passwords.
Google shut down the attack quickly, but it’s estimated that about one million users where potentially affected. There are some basic Google security measures end users should routinely make use of to better secure their accounts, including making use of verification and security checkup services that Google provides.