Google Rolls Out New Measure To Protect Against OAuth Abuse

Third-party applications that require the OAuth service for user data access are now subject to a new daily new user cap, company says.

Google OAuth Limits

Google has introduced a couple of new measures aimed at preventing rogue third-party software from spreading among users of Gmail, Drive and other Google cloud applications. 

Effective immediately, any third-party application that requires Open Authorization (OAuth) to access user data in Google apps will be subject to a daily total new user cap. The cap will restrict the number of new users that can authorize a particular app to access user data in Google apps. Google has also put a limit on how rapidly a particular application can acquire new users. 

"These enhanced protections will help protect our users and create an OAuth ecosystem where developers can continue to grow and thrive in a safer environment," Google associate product manager Luke Camery explained in a blog post June 4.

OAuth is a token-based standard for enabling limited sharing of protected information between different applications. It enables a user to authorize a third-party application to access their data without requiring any separate authentication for that to happen. 

For example, OAuth is central to a user's ability to log into a third-party website using their Gmail or Facebook login credentials.  Similarly, OAuth allows users to permit a third-party application or service—such as a cloud file sharing app—to access data in their Google or other account without the need to enter a username or a password. 

While the standard is considered very useful it also has its pitfalls. Last year for instance thousands of G Suite users became victims of a spam campaign when phishers tricked them into granting access to their contact list using a fake Google Docs permission request. Users who followed the links in the phishing email were taken to a legitimate Google sign-in screen where they essentially ended up granting access rights to a rogue application rather than to Google Docs. 

After that incident Google has been tightening some of the controls around its OAuth application environment. Last July for instance, the company began giving users stronger warnings about granting access to applications with which they were not familiar. The company began displaying an "unverified app" screen when users attempted to grant access to an application that was either new or that Google had not yet verified as trusted. 

Today's announcement builds on those protections by making it harder for an app developer to spread rogue applications via OAuth. With the additional measures, each new or unverified application will now have a limit on the number of users that can grant access to their Google data on a given day. The quota will be based on application history, the developers' reputation and the kind of data the application is seeking access to, Camery said. The quota limits the number of Google users that the developer of a rogue application can potentially impact. 

The majority of app developers should not be impacted by the change. Developers that expect to be impacted can request Google to verify their applications or they can request the company to increase their daily quota along with an explanation on why they need it. "We will actively monitor every application’s quota usage and take proactive steps to contact any developer whose application is approaching its quota," Camery said. 

Jaikumar Vijayan

Jaikumar Vijayan

Vijayan is an award-winning independent journalist and tech content creation specialist covering data security and privacy, business intelligence, big data and data analytics.