Search giant Google is under fire over privacy concerns after part-time bug hunter Andrew Cantino uncovered an easy way to abuse Google Apps Scripts and let malicious third parties slip though the door. This isn’t the first time Google has run afoul of privacy issues; in May, a European court upheld users’ “right to be forgotten,” forcing the search giant to comply with lawful requests from individuals who wanted certain search results associated with their name removed. According to the Wall Street Journal, the tech company is now on a seven-city tour in Europe to discuss the decision to “balance the right of information against the individual’s right to privacy,” according to Executive Chairman Eric Schmidt. However, the new scripts problem may limit any gains in goodwill as Google struggles to fight scammers at home.

With Great Access…

As his day job, Cantino acts as vice president of engineering at Mavenlink; in his spare time, he hunts down tech vulnerabilities. As reported by Net Security, he has come across a big one — Google Apps Scripts “can make authenticated requests against user data inside of Google’s properties.” It works like this: Users can create custom app scripts in a Google domain that appear to be authentic Google apps.

To prove his point, Cantino created the “Google Security Upgrader” app. At first, the app looks entirely legitimate and only asks for access to view and manage mail. Since most users won’t question an app that seemingly comes from Google, there is a high likelihood that they will grant the request, allowing scammers free run of their entire contact list.

Although users do receive a notification from Google after the fact saying a third-party app not affiliated with the search giant has been installed, Cantino said that’s “way, way too late.” While Google allowed him to make his findings public, they say the scripts are “working as designed.”

…Comes User Responsibility?

Google is also taking heat because it recently pulled the “Disconnect Mobile” app from the Play store, according to the Electronic Frontier Foundation. The app was designed to guard against exactly the kind of third-party attack enabled by the Google Apps Scripts flaw, but it was taken off virtual shelves after just five days.

Google says the app violates Section 4.4 of its Play Store Developer Distribution agreement, which prohibits the distribution of apps that disrupt or otherwise interfere with the services of any third party. The issue is that other apps, such as firewalls and antivirus apps, also target third-party applications. Of course, Disconnect would also shut down apps looking for more “innocent” advertising profile data, leading to a number of unflattering assessments of Google’s motive.

Beyond Google Apps Scripts

For enterprises, the issue with Google Apps Scripts could lead to major issues not only because applications look legitimate, but also because they appear to originate from a trusted domain. Public awareness of the flaw should help limit the potential severity of Scripts-based attacks, but the new vulnerability reinforces the need for information technology oversight and employee awareness of app behaviors. The Google issue offers an important lesson: Even when everything looks above board, it’s worth opting for caution over access.