September 25, 2014 By Douglas Bonderud 2 min read

Search giant Google is under fire over privacy concerns after part-time bug hunter Andrew Cantino uncovered an easy way to abuse Google Apps Scripts and let malicious third parties slip though the door. This isn’t the first time Google has run afoul of privacy issues; in May, a European court upheld users’ “right to be forgotten,” forcing the search giant to comply with lawful requests from individuals who wanted certain search results associated with their name removed. According to the Wall Street Journal, the tech company is now on a seven-city tour in Europe to discuss the decision to “balance the right of information against the individual’s right to privacy,” according to Executive Chairman Eric Schmidt. However, the new scripts problem may limit any gains in goodwill as Google struggles to fight scammers at home.

With Great Access…

As his day job, Cantino acts as vice president of engineering at Mavenlink; in his spare time, he hunts down tech vulnerabilities. As reported by Net Security, he has come across a big one — Google Apps Scripts “can make authenticated requests against user data inside of Google’s properties.” It works like this: Users can create custom app scripts in a Google domain that appear to be authentic Google apps.

To prove his point, Cantino created the “Google Security Upgrader” app. At first, the app looks entirely legitimate and only asks for access to view and manage mail. Since most users won’t question an app that seemingly comes from Google, there is a high likelihood that they will grant the request, allowing scammers free run of their entire contact list.

Although users do receive a notification from Google after the fact saying a third-party app not affiliated with the search giant has been installed, Cantino said that’s “way, way too late.” While Google allowed him to make his findings public, they say the scripts are “working as designed.”

…Comes User Responsibility?

Google is also taking heat because it recently pulled the “Disconnect Mobile” app from the Play store, according to the Electronic Frontier Foundation. The app was designed to guard against exactly the kind of third-party attack enabled by the Google Apps Scripts flaw, but it was taken off virtual shelves after just five days.

Google says the app violates Section 4.4 of its Play Store Developer Distribution agreement, which prohibits the distribution of apps that disrupt or otherwise interfere with the services of any third party. The issue is that other apps, such as firewalls and antivirus apps, also target third-party applications. Of course, Disconnect would also shut down apps looking for more “innocent” advertising profile data, leading to a number of unflattering assessments of Google’s motive.

Beyond Google Apps Scripts

For enterprises, the issue with Google Apps Scripts could lead to major issues not only because applications look legitimate, but also because they appear to originate from a trusted domain. Public awareness of the flaw should help limit the potential severity of Scripts-based attacks, but the new vulnerability reinforces the need for information technology oversight and employee awareness of app behaviors. The Google issue offers an important lesson: Even when everything looks above board, it’s worth opting for caution over access.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today