January 7, 2022 report

Google Docs comment feature exploited to distribute phishing links

by Bob Yirka , Tech Xplore

Google
Credit: Unsplash/CC0 Public Domain

A team of security researchers at Avanan is reporting that hackers are taking advantage of a Google Docs security vulnerability—one that takes advantage of a comment feature. They are claiming that they saw hackers using the vulnerability to target 500 inboxes of 30 Outlook users involving over 100 individual email accounts.

The at Avanan claims that they found an earlier exploit in Google Docs last June—one that allowed hackers to send phishing links to users. Then, this past October, they discovered that hackers had found another way to send phishing links to unsuspecting users, using the comment feature. They further claim that the vulnerability was not fixed by Google and because of that they began seeing hackers taking advantage of the vulnerability last month.

The hacking approach is both simple and straightforward—a creates a Google Docs document and adds comments to it that include an @ symbol followed by an email address. The symbol automatically alerts the system to send an email to the person designated in the email address—the email that is sent has phishing links in it, sending the user to a webpage that could lead to malicious code.

The hack works because the email that is sent does not show the hackers' —just a name they designate. And because the email comes from Google, users trust that it is legitimate. The same feature also allows the email to sneak its way through spam filters. Notably, do not even have to open a Google Docs document to be targeted because they are targeted by what appears to be a friendly email message. To make matters worse, the attacker does not even have to share the document—just putting a victim's address in a comment gets the job done.

The team at Avanan reports that thus far, most have involved Outlook but note it could work equally well for virtually any email system. They also note that to avoid falling victim to such an attack, users need only refrain from clicking on links embedded in emails sent from Google Docs. They close by claiming that they briefed Google on their findings on January 4 but thus far the vulnerability has not been fixed.

More information: www.avanan.com/blog/google-doc … phishing-and-malware

© 2022 Science X Network

Citation: Google Docs comment feature exploited to distribute phishing links (2022, January 7) retrieved 24 April 2024 from https://techxplore.com/news/2022-01-google-docs-comment-feature-exploited.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Explore further

If your mom wants to share a Google Doc with you, check the source
239 shares

Feedback to editors
Salt battery harvests osmotic energy where the river meets the sea

1 hour ago
Emulating neurodegeneration and aging in artificial intelligence systems

3 hours ago
With a game show as his guide, researcher uses AI to predict deception

17 hours ago
Super Mario hackers' tricks could protect software from bugs, study finds

18 hours ago
The world's largest 3D printer is at a university in Maine. It just unveiled an even bigger one

20 hours ago
Researchers develop tiny chip that can safeguard user data while enabling efficient computing on a smartphone

21 hours ago
Personalization has the potential to democratize who decides how LLMs behave

21 hours ago
Aerogel-based phase change materials improve thermal management, reduce microwave emissions in electronic devices

21 hours ago
Holographic displays offer a glimpse into an immersive future

21 hours ago
Researchers develop high-energy-density aqueous battery based on halogen multi-electron transfer

22 hours ago
Load comments (0)