If someone has sent you a ‘Shared Google Doc,’ just don’t open it.
Update: It appears that Google has revoked access to the OAuth client.
A phishing attack that spread like wildfire amongst Google users appears to be under control. According to a Reddit user in contact with a Google Engineer, the issue has been resolved.
Just the same, if you receive an email asking you to share a Google document right now, don’t open it without first confirming that it is from a legitimate source, even if you think you recognize the email address. Call, text, or send a separate email to make sure it is from that person.
The exploit works by sending you an email with the header “[Name] has shared a document with you in Google Docs” with a link that reads “Open in Docs.” When you click on it, you will be redirected to Google’s official permissions page, where you will be prompted to enter your password. If you do enter your password, you will give permission to the exploit to access your email content and contacts.
This attack might appear in your inbox from an email address you recognize, or it might include CCs to contacts you recognize. It appears that the attack is a malicious OAuth client that gains access to a person’s Google address book, at which point the phishing message will be sent to everyone in that person’s contacts.
From a comment on Hacker News:
Its a malicious OAuth client (multiple clients?) that fooled user into giving access to read emails, while pretending to show as if it was needed by GDocs itself to access a Document, enabling launch of among other things password resets on other websites.
If you are running any website that has “Reset my password” its not compromised, since even though the attacker does not have access to password, the attacker had access to email inbox. Thus the reset flow will allow attacker to compromise other websites that rely on Gmail account.
If the exploit gains access to your content, it can potentially have access to other apps you are signed in with your Google account credentials.
If you think you may have already given permissions to the exploit, you should immediately change your password. You should also go to Google’s security checkup and scan your Account Permissions section to remove an app called “Google Docs” or “Google Chrome” (with the Google logo next to it), It is not a real app. You should be able to identify if it is a fake app by noting the time of the authorization date. If the time is within the timeframe that you clicked on the infected link, it is probably the fake one and you should revoke permissions.
Lastly, you should send individual emails, texts, or phone calls to people in your address book to let them know that your account might have been compromised and that they shouldn’t open any shared Google documents from you.