September 25, 2014 By Douglas Bonderud 2 min read

Search giant Google is under fire over privacy concerns after part-time bug hunter Andrew Cantino uncovered an easy way to abuse Google Apps Scripts and let malicious third parties slip though the door. This isn’t the first time Google has run afoul of privacy issues; in May, a European court upheld users’ “right to be forgotten,” forcing the search giant to comply with lawful requests from individuals who wanted certain search results associated with their name removed. According to the Wall Street Journal, the tech company is now on a seven-city tour in Europe to discuss the decision to “balance the right of information against the individual’s right to privacy,” according to Executive Chairman Eric Schmidt. However, the new scripts problem may limit any gains in goodwill as Google struggles to fight scammers at home.

With Great Access…

As his day job, Cantino acts as vice president of engineering at Mavenlink; in his spare time, he hunts down tech vulnerabilities. As reported by Net Security, he has come across a big one — Google Apps Scripts “can make authenticated requests against user data inside of Google’s properties.” It works like this: Users can create custom app scripts in a Google domain that appear to be authentic Google apps.

To prove his point, Cantino created the “Google Security Upgrader” app. At first, the app looks entirely legitimate and only asks for access to view and manage mail. Since most users won’t question an app that seemingly comes from Google, there is a high likelihood that they will grant the request, allowing scammers free run of their entire contact list.

Although users do receive a notification from Google after the fact saying a third-party app not affiliated with the search giant has been installed, Cantino said that’s “way, way too late.” While Google allowed him to make his findings public, they say the scripts are “working as designed.”

…Comes User Responsibility?

Google is also taking heat because it recently pulled the “Disconnect Mobile” app from the Play store, according to the Electronic Frontier Foundation. The app was designed to guard against exactly the kind of third-party attack enabled by the Google Apps Scripts flaw, but it was taken off virtual shelves after just five days.

Google says the app violates Section 4.4 of its Play Store Developer Distribution agreement, which prohibits the distribution of apps that disrupt or otherwise interfere with the services of any third party. The issue is that other apps, such as firewalls and antivirus apps, also target third-party applications. Of course, Disconnect would also shut down apps looking for more “innocent” advertising profile data, leading to a number of unflattering assessments of Google’s motive.

Beyond Google Apps Scripts

For enterprises, the issue with Google Apps Scripts could lead to major issues not only because applications look legitimate, but also because they appear to originate from a trusted domain. Public awareness of the flaw should help limit the potential severity of Scripts-based attacks, but the new vulnerability reinforces the need for information technology oversight and employee awareness of app behaviors. The Google issue offers an important lesson: Even when everything looks above board, it’s worth opting for caution over access.

More from

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

How I got started: Cyber AI/ML engineer

3 min read - As generative AI goes mainstream, it highlights the increasing demand for AI cybersecurity professionals like Maria Pospelova. Pospelova is currently a senior data scientist, and data science team lead at OpenText Cybersecurity. She also worked at Interest, an AI cybersecurity company acquired by MicroFocus and then by OpenText. She continues as part of that team today.Did you go to college? What did you go to school for?Pospelova: I graduated with a bachelor’s degree in computer science and a master’s degree…

Europe’s Cyber Resilience Act: Redefining open source

3 min read - Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents. While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today