September 25, 2014 By Douglas Bonderud 2 min read

Search giant Google is under fire over privacy concerns after part-time bug hunter Andrew Cantino uncovered an easy way to abuse Google Apps Scripts and let malicious third parties slip though the door. This isn’t the first time Google has run afoul of privacy issues; in May, a European court upheld users’ “right to be forgotten,” forcing the search giant to comply with lawful requests from individuals who wanted certain search results associated with their name removed. According to the Wall Street Journal, the tech company is now on a seven-city tour in Europe to discuss the decision to “balance the right of information against the individual’s right to privacy,” according to Executive Chairman Eric Schmidt. However, the new scripts problem may limit any gains in goodwill as Google struggles to fight scammers at home.

With Great Access…

As his day job, Cantino acts as vice president of engineering at Mavenlink; in his spare time, he hunts down tech vulnerabilities. As reported by Net Security, he has come across a big one — Google Apps Scripts “can make authenticated requests against user data inside of Google’s properties.” It works like this: Users can create custom app scripts in a Google domain that appear to be authentic Google apps.

To prove his point, Cantino created the “Google Security Upgrader” app. At first, the app looks entirely legitimate and only asks for access to view and manage mail. Since most users won’t question an app that seemingly comes from Google, there is a high likelihood that they will grant the request, allowing scammers free run of their entire contact list.

Although users do receive a notification from Google after the fact saying a third-party app not affiliated with the search giant has been installed, Cantino said that’s “way, way too late.” While Google allowed him to make his findings public, they say the scripts are “working as designed.”

…Comes User Responsibility?

Google is also taking heat because it recently pulled the “Disconnect Mobile” app from the Play store, according to the Electronic Frontier Foundation. The app was designed to guard against exactly the kind of third-party attack enabled by the Google Apps Scripts flaw, but it was taken off virtual shelves after just five days.

Google says the app violates Section 4.4 of its Play Store Developer Distribution agreement, which prohibits the distribution of apps that disrupt or otherwise interfere with the services of any third party. The issue is that other apps, such as firewalls and antivirus apps, also target third-party applications. Of course, Disconnect would also shut down apps looking for more “innocent” advertising profile data, leading to a number of unflattering assessments of Google’s motive.

Beyond Google Apps Scripts

For enterprises, the issue with Google Apps Scripts could lead to major issues not only because applications look legitimate, but also because they appear to originate from a trusted domain. Public awareness of the flaw should help limit the potential severity of Scripts-based attacks, but the new vulnerability reinforces the need for information technology oversight and employee awareness of app behaviors. The Google issue offers an important lesson: Even when everything looks above board, it’s worth opting for caution over access.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today