Passwords are heading toward becoming a thing of the past. That’s because more and more websites enable you to use your Google or Microsoft credentials to log in instead of creating new ones.
This functionality is called Open Authorization (OAuth) and grants third-party apps permission to access your information. For example, think of the ability to post Instagram photos to your Facebook or Twitter feed.
It works great in theory, but it can create problems if abused. Read on to see how hackers have exploited the authorization process to hijack emails.
Here’s the backstory
The technology started as an authentication mechanism for Twitter in 2006. After that, social media platforms and companies like Amazon and Microsoft quickly adopted it. The latter integrated OAuth into Office 365.
A new phishing scam has emerged that abuses the OAuth system, wreaking havoc for numerous businesses. Microsoft’s Security Intelligence team explained that phishing emails went out to customers, attempting to steal corporate information.
The malicious emails urge recipients to grant OAuth access to a suspicious app called Upgrade. Once given, the app can read and write emails, access the target’s contacts and edit calendar items. It also creates inbox rules to forward or delete specific emails.
Complicating matters is that the Upgrade app supposedly comes from the verified publisher Counseling Services Yuma PC. This fact, discovered by a self-proclaimed phish hunter on Twitter, reported it to Microsoft.
Previous abuse of the OAuth platform led Google to implement stricter verification requirements for developers a few years ago.
What you can do about it
You might be in danger of receiving the phishing email if you or your company is an Office 365 customer. Microsoft deactivated the app in Azure AD and alerted customers. Still, until the issue is solved, there are a few things that you can do to stay safe online:
- Never grant OAuth access to unknown apps or programs.
- Don’t download attachments from unsolicited emails. That is because phishing emails mimic legitimate senders and are relatively easy to spoof.
- Contact your IT administrator to verify the app if you receive an OAuth request through your company email.