In May 2017, a fishing attack now known as the “Google Docs worm” spread over the Internet. I used special web applications to impersonate Google Docs and request deep access to emails and contact lists in Gmail accounts. The scam was so effective because the requests came from people who knew the target. If granted access, the app would automatically distribute the same scam email to the victim’s contacts, perpetuating the worm. Eventually, the incident affected more than a million accounts before Google successfully contained it. New research indicates, however, that the company’s corrections do not go far enough. Another Google Docs viral scam can occur at any time.
Google Workspace phishing and scams get much of their power from manipulating legitimate features and services to abusive purposes, says independent security researcher Matthew Bryant. Targets are more likely to fall for attacks because they rely on Google bids. The tactic also largely puts activity outside the realm of antivirus tools or other security scanners, as it relies on the web and manipulates legitimate infrastructures.
In research presented at Defcon’s security conference this month, Bryant found solutions that attackers could use to overcome Google Workspace’s enhanced protections. And the risk of attention in Google Workspace is not just theoretical. Several recent scams use the same general approach of manipulating actual Google Workspace features and notifications to make links or fishing pages more legitimate and attractive to targets.
Bryant says all of these problems come from Workspace’s conceptual design. The same features that make the platform flexible, adaptable, and sharing-oriented also offer opportunities for abuse. With over 2.6 billion Google Workspace users, the stakes are high.
“Design has problems in the first place and that entails all of these security issues, which not only can be solved, most are not one-time magic solutions,” says Bryant. “Google has made an effort, but those risks come from specific design decisions. The fundamental improvement would involve the painful process of potentially restructuring these things.”
Following the 2017 incident, Google added more restrictions to apps that can connect to Google Workspace, especially those that request any sensitive access, such as emails or contacts. People can use these “Apps Script” apps, but Google primarily supports them so that business users can customize and expand Workspace functionality. With enhanced protections, if an app has more than 100 users, the developer must submit it to Google for a notoriously rigorous review process before it can be deployed. In the meantime, if you try to run an application that has less than 100 users and has not been reviewed, Workspace will show you a detailed warning screen that advises you not to proceed.
Even with these protections in place, Bryant found a crack. These small applications can run without alerts if you receive an attachment to a document from someone in your Google Workspace organization. The idea is that you trust your colleagues enough not to need the hassle of strict warnings and alerts. These types of design choices, however, leave possible openings for attacks.
For example, Bryant found that by sharing the link to a Google document that has one of these applications attached and changing the word “edit” at the end of the URL to the word “copy,” a user who opens the The link will show a prominent “Copy Document” request. You can also close the tab, but if a user believes a document is legitimate and clicks to make a copy, they become the creator and owner of that copy. They also appear as the “developer” of the application that is still embedded in the document. Therefore, when the application requests permission to run and access your Google Account data (no warnings are added), the victim will see their own email address in the request.
Not all components of an application will be copied with the document, but Bryant also found a way to fix it. An attacker could embed lost items in the Google Workspace version of a task automation “macro,” which is very similar to macros that are often abused in Microsoft Office. Ultimately, an attacker could cause someone in an organization to take over and grant access to a malicious application which in turn can request access to other people’s Google Accounts within the same organization without warning.