Light Dark
September 25, 2014 By Douglas Bonderud 2 min read

Search giant Google is under fire over privacy concerns after part-time bug hunter Andrew Cantino uncovered an easy way to abuse Google Apps Scripts and let malicious third parties slip though the door. This isn’t the first time Google has run afoul of privacy issues; in May, a European court upheld users’ “right to be forgotten,” forcing the search giant to comply with lawful requests from individuals who wanted certain search results associated with their name removed. According to the Wall Street Journal, the tech company is now on a seven-city tour in Europe to discuss the decision to “balance the right of information against the individual’s right to privacy,” according to Executive Chairman Eric Schmidt. However, the new scripts problem may limit any gains in goodwill as Google struggles to fight scammers at home.

With Great Access…

As his day job, Cantino acts as vice president of engineering at Mavenlink; in his spare time, he hunts down tech vulnerabilities. As reported by Net Security, he has come across a big one — Google Apps Scripts “can make authenticated requests against user data inside of Google’s properties.” It works like this: Users can create custom app scripts in a Google domain that appear to be authentic Google apps.

To prove his point, Cantino created the “Google Security Upgrader” app. At first, the app looks entirely legitimate and only asks for access to view and manage mail. Since most users won’t question an app that seemingly comes from Google, there is a high likelihood that they will grant the request, allowing scammers free run of their entire contact list.

Although users do receive a notification from Google after the fact saying a third-party app not affiliated with the search giant has been installed, Cantino said that’s “way, way too late.” While Google allowed him to make his findings public, they say the scripts are “working as designed.”

…Comes User Responsibility?

Google is also taking heat because it recently pulled the “Disconnect Mobile” app from the Play store, according to the Electronic Frontier Foundation. The app was designed to guard against exactly the kind of third-party attack enabled by the Google Apps Scripts flaw, but it was taken off virtual shelves after just five days.

Google says the app violates Section 4.4 of its Play Store Developer Distribution agreement, which prohibits the distribution of apps that disrupt or otherwise interfere with the services of any third party. The issue is that other apps, such as firewalls and antivirus apps, also target third-party applications. Of course, Disconnect would also shut down apps looking for more “innocent” advertising profile data, leading to a number of unflattering assessments of Google’s motive.

Beyond Google Apps Scripts

For enterprises, the issue with Google Apps Scripts could lead to major issues not only because applications look legitimate, but also because they appear to originate from a trusted domain. Public awareness of the flaw should help limit the potential severity of Scripts-based attacks, but the new vulnerability reinforces the need for information technology oversight and employee awareness of app behaviors. The Google issue offers an important lesson: Even when everything looks above board, it’s worth opting for caution over access.

 | 
Douglas Bonderud
Freelance Writer

More from

March 26, 2025

We are moving!

< 1 min read - SecurityIntelligence.com is being sunset, but have no fear!We have a new home for all of your favorite security and X-Force content.Follow us to www.ibm.com/think to maintain access to the stories and news you love, both new and old.Security Intelligence will officially sunset on Friday, March 28, 2025. To access the latest security thought leadership, go here. To access the latest X-Force research, go here.If you are experiencing cybersecurity issues or an incident, contact X-Force® to help:US hotline: 1-888-241-9812 | Global hotline:…

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

10 min read - Windows Defender Application Control (WDAC) is a security solution that restricts execution to trusted software. Since it is classified as a security boundary, Microsoft offers bug bounty payouts for qualifying bypasses, making it an active and competitive field of research.Typical outcomes of a WDAC bypass bug bounty submission:Bypass is fixed; possible bounty awardedBypass is not fixed but instead "mitigated" by being added to the WDAC recommended block list. Likely no bounty awarded but honorable mention is typically givenBypass is not…

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature