Google’s Gmail Warning—Do Not Use Any Of These Passwords

Google has confirmed details of a very complex attack with a very simple warning attached. Yet again, bad actors have exploited Google’s legitimate account infrastructure to trick users into compromising their own security. And while in this instance the victims were highly targeted, the basic vulnerability affects all users.

Google’s Threat Intelligence Group and Citizen Lab warn that Russian state-affiliated hackers used seemingly legitimate U.S. State Department email addresses to help target high-value individuals with emails and calendar invites. With a target hooked, a malicious PDF attachment was then sent which triggered a password request to open.

ForbesGoogle Warns Most Chrome Users—You’re At Risk Of Being TrackedBy Zak Doffman

Victims were directed to https://account.google.com “to create an Application Specific Password (ASP) or ‘app password’. ASPs are randomly generated 16-character passcodes that allow third-party applications to access your Google Account, intended for applications and devices that do not support features like 2-step verification (2SV).”

As Citizen Lab says, “while many state-backed attackers still focus on phishing a target’s passwords and MFA codes, others are constantly experimenting with novel ways to access accounts.” This attack “is yet another effort to gain account access through a novel method: convincing the target user to create and share a screenshot of an App-Specific Password (ASP).”

The target was then told to share the Gmail ASP to open the document. This enabled the attackers to gain access to the victim’s Gmail account using that ASP. As Google says, “users have complete control over their ASPs and may create or revoke them on demand.” But if you don’t know you’ve been attacked, you have no reason to do so.

Two separate warnings here. If you consider yourself a high-value target for any flavor of sophisticated or even state-affiliated hacker, if you’re in a high-profile or high-risk job or location, then you should enable Google’s Advanced Protection Program. This will better lock down your account, but it is for a small minority of users.

ForbesSamsung Starts Deleting User Data In Just 6 Weeks—Act NowBy Zak Doffman

For all others, the second warning is not to use these ASPs. Google warns “app passwords aren’t recommended and are unnecessary in most cases. To help keep your account secure, use ‘Sign in with Google’ to connect apps to your Google Account.”

Even if you’re not at risk from a sophisticated attack, the use of ASPs has now been flagged and it wil be very easy for attackers to socially engineer simpler, wider campaigns that trick users into sharing ASPs using a wide variety of lures. As such do not set these up and certainly never share them.