I downloaded a "pump and dump" spam image and created a document that looked like this. Then, I added as "viewers" another of my Gmail addresses, a non-Gmail address, and a friend's Gmail and non-Gmail addresses.
In every case, the notification email came right through as "I've shared a document with you called ..." with a link. The social engineering aspects here are:
- the email comes from Google
- the link goes to Google
- the text of the email is familiar and non-threatening, especially to users of Google Docs
The additional benefit, of course, is that you can dump documents right into a Google Docs user's main document view without any filtering at all, just by "sharing" the document. Imagine logging in one day to find your list of documents shoved down to make room for a list of docs with titles like "Buy cheap Viagra online!!"
I'm not sure if Google is already watching for accounts that have a high level of document creation/sharing activity, but if not, they probably should be. Additionally, they may want to consider options to allow users to keep newly-shared/unconfirmed documents out of the default view, or to limit who to accept shared documents from at all.
No comments:
Post a Comment