PANews reported on April 17th that according to Bitcoin.com, ENS chief developer Nick Johnson exposed a sophisticated phishing attack that exploited vulnerabilities in Google's system, particularly a recently patched OAuth vulnerability. As Johnson described, attackers first sent fraudulent emails appearing to be from Google's legal department, falsely claiming the recipient's account was involved in a subpoena investigation. These emails had genuine DKIM digital signatures and were sent from Google's official no-reply domain, allowing them to easily bypass Gmail's spam filters. Johnson noted that the scam's credibility was significantly increased by a link to a fake support portal on sites.google.com. This forged Google login page revealed two major security vulnerabilities: first, the Google Sites platform allows arbitrary script execution, enabling criminals to create pages that steal credentials; second, there are inherent flaws in the OAuth protocol itself.
Johnson condemned Google for initially treating this vulnerability as "working as intended" and emphasized that it posed a serious threat. Even worse, the fake portal used the trusted sites.google.com domain as cover, greatly reducing users' vigilance. Additionally, Google Sites' abuse reporting mechanism was inadequate, making it difficult to quickly shut down illegal pages. Under public pressure, Google ultimately acknowledged the problem. Johnson subsequently confirmed that Google plans to fix the OAuth protocol's flaws. Security experts warn users to remain vigilant, be skeptical of any unexpected legal documents, and carefully verify the authenticity of URLs before entering credentials.
