Following a series of Google Apps login phishing attacks (specifically on Google Docs) in 2017, Google made several improvements. At the time, while we welcomed Google taking steps to address the phishing problems, it caused issues for WordPress plugins.
Specifically, the updates made it challenging in cases where customer installation required individuals to create a Google Cloud project with their own OAuth 2.0 Client IDs.
To make things easier and safer for legitimate users who need to create Google applications, we recommended that Google:
- Allow users to authenticate against an OAuth ID they created using the same account as the one being used to access the app.
- Allow admins to whitelist specific ID/Secrets on their domain and also allow any regular Gmail account to whitelist for their own use.
- Provide a clearer error message where unverified apps encounter ‘Invalid Scope.’
- Deliver documentation explaining the new verification processes they have rolled out.
- Offer a more robust and selective solution than joining the ‘Risky’ Group (Google already confirmed to us they are aware this cannot be a permanent solution).
Since then, we have even more suggestions for WordPress users using Google Apps login to deter attackers.