Google Docs comment flaw exploited by attackers

A flaw in the comments feature of Google Docs is allowing attackers to target users with phishing emails.

Security researchers at email security company Avanan have observed what they call, "a new, massive wave of hackers" using the comment feature in Google Docs during December to launch attacks, mainly against Outlook users.

It works by hackers adding a comment to a Google Doc. The comment mentions the target with an @. By doing this an email is automatically sent to that person's inbox. In that email the full comment, including any bad links and text, is included. Further, the email address of the commenter isn't shown, just the attackers' name, making this ripe for impersonators.

Because the emails originate from Google and don't show the attacker's address it's also hard for spam filters to weed them out.

Researchers first identified that the comments feature of Google Docs, Sheets and Slides could be exploited to send spam emails in October last year. However, the known vulnerability has not been fully closed or mitigated by Google since.

To guard against these attacks users are advised to cross-reference the email address in the comment to ensure it's legitimate before clicking on Google Docs comments. In addition they should take the normal precautions, including checking links and inspecting grammar. If unsure, they should contact the legitimate sender and confirm they meant to send the comment. Avanan also advises deploying protection that secures the entire suite, including file-sharing and collaboration apps.

You can read more on the Avanan blog.

Image Credit: wk1003mike / Shutterstock