Google is stepping up its effort to block phishing attempts that use app permissions to gain access to users’ Gmail accounts. These phishing attacks invite users to grant an app permission to manage their Google account—which lots of safe apps do, too—and then exploit those permissions to take over an account or send spam.
To stop these kinds of attacks, Google is adding a screen to the permissions process that will warn users if the app is new or unverified—signs that it might be linked to a phishing attempt.
“The ‘unverified app’ screen precedes the permissions consent screen for the app and lets potential users know that the app has yet to be verified. This will help reduce the risk of user data being phished by bad actors,” Google’s Naveen Agarwal and Wesley Chun wrote in a blog post announcing the change.
The warning looks a little bit like Chrome’s warning when a site’s HTTPS encryption isn’t trusted. It requires users to click into advanced settings before they can commit to granting permissions to the app. Here’s what the warning will look like:
Google recently started requiring new apps to go through a verification process to assess possible risks before being approved. In addition to the new warning system, Google will require some existing apps to undergo the verification process.
The warnings and reviews are intended to shore up an area of vulnerability for Gmail users, who may not be aware of the security risks that come with granting permissions to untrusted apps. These kinds of OAuth exploits are on the rise, so it’s good to see Google working to prevent them.