Menu
Google will review web apps that want access to its users' data

Google will review web apps that want access to its users' data

Based on a new risk assessment process, some apps that want to use Google's identity services might need to undergo a review

In response to recent attacks where hackers abused Google's OAuth services to gain access to Gmail accounts, the company will review new web applications that request Google users' data.

To better enforce its policy regarding access to user data through its APIs (application programming interfaces), which states that apps should not mislead users when presenting themselves and their intentions, Google is making changes to the third-party app publishing process, its risk assessment systems and the consent page it displays to users.

Google is an identity provider, which means other web apps can use Google as the authentication mechanism for users accessing the app. Apps use the OAuth protocol to do this. These apps can also use Google's APIs to send users requests for information stored in Google's services.

Last week, a large number of users received a well-crafted phishing email that asked them to view a document in Google Docs. Clicking on the link redirected them to a Google OAuth consent page that said an application called Google Docs wanted access to their contacts and Gmail accounts.

The reason this spoofing attack worked is that there was no mechanism to prevent a third-party app registered to Google's OAuth service from using the same name as one of Google's own apps -- or the name of another legitimate third-party app.

Since the attack, Google has strengthened its risk assessment for new apps and made other changes to better detect such abuse. So app developers might see error messages when registering new applications or modifying existing ones in the Google API Console, Firebase Console, or Apps Script editor, the Google Identity Team said in a blog post.

On top of this, based on the results of the enhanced risk assessment, some web applications will need to undergo a manual review and approval process that could take from three to seven business days.

"Until the review is complete, users will not be able to approve the data permissions, and we will display an error message instead of the permissions consent page," the Google identity team said.

For now, developers will only be able to request a review during the application testing phase, but in the future, Google will also allow review requests during the registration phase.

Until the app is reviewed, developers will be able to continue testing their app using their own account, as well as to add additional testers.


Follow Us

Join the newsletter!

Error: Please check your email address.

Featured

Slideshows

Channel celebrates as HP marks 50 years in NZ

Channel celebrates as HP marks 50 years in NZ

HP marked 50 years in New Zealand at an event in the vendor's Auckland's headquarters last night, with a host of key channel figures coming along to celebrate. Photos by HP.

Channel celebrates as HP marks 50 years in NZ
EDGE 2017 - Icebreaker Sessions round 2

EDGE 2017 - Icebreaker Sessions round 2

EDGE guests experience the value of networking at the second round of Icebreaker sessions.. Photos by Maria Stefina

EDGE 2017 - Icebreaker Sessions round 2
EDGE 2017 Dinner Under the Stars

EDGE 2017 Dinner Under the Stars

EDGE's Day 2 keynote and breakout sessions were followed by the Dinner Under the Stars. Over 300 people were present to enjoy a seafood feast and lots of excitement at Hamilton Island's Bougainvillea Marquee. Photos by Maria Stefina.

EDGE 2017 Dinner Under the Stars
Show Comments