Google is making it harder for people to unsuspectingly install malicious plugins on their devices. Recently, the company announced new changes to the way Google services handle plugins, adding new warnings for users and a more involved verification system for apps. This results in more scrutiny on apps plugging into Google services, and more active involvement from Google when an app seems suspicious.
A few months ago, Google Drive users fell victim to a phishing worm masquerading as an invitation to collaborate as a document. This plugin was not controlled b Google. However, because it was named Google Docs, the app managed to trick many users into granting it access. Once granted access the plugin sent a new request to everyone in the target’s contact list, allowing the app to spread. Ultimately, Google was able to stop the spread of this malicious plugin.
Shortly after this attack, Google strengthened its developer registration systems, making it harder for anonymous actors to plug unknown apps into Google accounts. Now, with this new development, users will be alerted whenever an unverified app requests access to user data.
Malicious plugins are a big security risk for Google and other platforms. Security group OurMine has specialized in these attacks, posting false messages from accounts controlled by Sundar Pichai, Jack Dorsey, and Sony Music. In the case of Sony Music, the group tweeted a fake report of popular singer Britney Spears’ death.
In each case, OurMine gained access by compromising a third-party application which was authorized to post to the target account. An active social media user might have hundreds of plugins authorized to access their social media accounts. This gives hackers hundreds of potential ways to attack. However, users can protect themselves against these malicious plugins by monitoring authorized apps and revoking access for any apps they no longer use.