Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

EDIT: According to a Google representative on the reddit thread, this application is now blocked. If your account was affected, you no longer need to do anything.

If you fell for this, changing your password is not the right solution - you want to log into your google account and remove permissions from the application.

https://myaccount.google.com/permissions?pli=1 should show a list of apps connected to your account.

Also, if you fell for this, you sent a bunch of emails to people like the one you received, so maybe tell them not to click.



Source code of the worm: https://hastebin.com/gubegaqusi.xml

Pretty much what you'd expect.

Edit: This isn't the full source code. There was another PHP file visible on their website that unfortunately isn't visible anymore.


Heh, they're using Google Analytics to track its spread. That's a nice touch.


It's possible to send any data we want to their Analytics tracker... perhaps we send them some spam?


Where is ilovevitaly when you need him?!


"No fair! You got your privacy invasion in my privacy invasion!"


That made my day.


On a brief skim, it doesn't seem to do much besides spread itself. Am I missing something, or was it just for lulz? Or maybe a grey hat trying to prove a point?


That's all this code does, but The author then has a backdoor to all the victim's email through the oauth app.


Except that Google can kill those auths.


It's really a question of how malicious the author was- if they set it up to download everything attached to the account as soon as it connected, it could still cause a lot of damage.


Even worst: The hacker could have taken a list of lets say the top 1000 banking (or any type of online service) websites accross the globe. The moment the hacker get access to your gmail account, he initiatite a password recovery request on each of those 1000 websites, get the password reset link from the email, reset the password, delete the email. he could now have access to any other online account you have that had its recovery email set to your gmail account.


Safe to assume that google could track such activity for affected accounts and notify if that was widespread?

(or is that somehow against the 'only our anonymized ad display program can scan your email' privacy policy?)


The most recent statement from google said that "no other data was accessed" so interpret that as you will


It redirects to a couple different PHP pages as well, so there could have been more malicious code there


Sending everything to this mailinator address which oddly seems to be empty:

https://www.mailinator.com/inbox2.jsp?public_to=hhhhhhhhhhhh....

Maybe Mailinator has purged the box and is rejecting mail from it. Good on them.


Mailinator purged it early on yeah.


Man, I wonder how wider this would have spread if they spent a teensy bit more time to make e.g. the To address less suspicious.


What context was that code expected to be executed in?


> If your account was affected, you no longer need to do anything.

How do you figure? An unknown actor presumably had full access to your email inbox for a non-zero amount of time and the proper remediation is "nothing"? If I was concerned this had affected me I would right now be changing my passwords to ____everything____.


Well change the passwords to everything except the google account that was compromised. I don't think you can recover the password of a google account through its own gmail inbox.

Although I guess if you had a circular recovery chain of this google account depending on a different email that depended on this google account, the attacker could use your email to recover the other email then use the other email to recover this google account. So it might be wise to change the passwords to everything.


What attack vector does changing your password help with? Are you concerned they could have recovered the account password via the Oauth scope?


The greater issue is the passwords of other accounts, which could now be 'recovered' as the attacker has your access to your email


Yes, I agree, although revoking the scope should remove the access (and I assume Google did that for everyone already).


Changing your password is the fastest way to ensure all authed sessions on any device is logged out. Google offers a "log out of any sessions" button somewhere in account settings, but most other services don't.

If your email account is compromised, any service that do password resets via email confirmation, are potentially compromised by whoever has access to your email via OAuth.


I'm pretty sure that changing your password does NOT revoke your oauth scopes, which was the attack vector here.


After looking at the source code, it looks like all it does is send a copy of itself to somebody in your inbox, and nothing else.


We dont really have any proof that this is the only code that got executed. Whoever owned the OAuth account had direct access to your information from google's servers, he wouldnt need to go through you as a client to get it.


Here's a video I made on what you or they need to do: http://youtu.be/fjEenkk9Ntk?hd=1


what application? i tried this and dont see anything in there that looks like it could be it


"Google Docs" with the real icon and everything.


Not seeing that weirdly. Could it be "google chrome"?


Apparently Google has already shut this down. Likely they revoked the access from all accounts as well.


Link?


https://www.reddit.com/r/google/comments/692cr4/new_google_d...


I've seen 2 client ids used and yes Google Docs and Google Chrome, not sure if google closed them both/all down. Here's a video on what to do/look for:

http://youtu.be/fjEenkk9Ntk?hd=1


It will be called "google docs" because for some reason that's allowed.


Removed picasa, im guessin that's just Google Photos tho. so idk




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: