Russian hackers were able to raid victims’ email accounts by exploiting a flaw in a system used by Google and Yahoo, according to security researchers.
The hacking group, nicknamed Fancy Bears by some experts, spotted a weakness in a widely-used system that allowed them to trick their way into users’ emails, according to a report from security company Trend Micro.
Several security companies have claimed the hackers are controlled by the Russian government, something Russia has consistently denied.
At the heart of the attack, which dates back to 2015, was a system called Open Authorization, or OAuth, which is used by many of the largest tech companies, including Google and Yahoo.
It allows third-party tech firms to access users’ account info, without the need for the user to share their password.
Here’s an example of how the system is supposed to work: when you register for a social network such as LinkedIn, the site often asks permission to see if you have any friends on GMail who also use LinkedIn. If you click OK, LinkedIn is given access to your Gmail contacts by Google, but LinkedIn is not given your Google password.
Ordinarily, the companies that ask for permission are legitimate (as is LinkedIn in the example above), and the user is informed and gives consent.
However, Trend Micro found evidence that Russian cybercriminals (who they call Pawn Storm) had abused the system. The hackers gained permission to use the OAuth system by pretending to be a legitimate company (in some cases this was as simple as setting up a company website and email address, according to researchers).
The hackers then sent out emails to Google and Yahoo users, carefully crafted to look as though they came from legitimate companies offering security updates. Due to the way OAuth works, clicking on the email would then take users to a website with a google.com or yahoo.com name, increasing the impression that the email was legitimate.
But instead of installing security updates, clicking on the emails secretly gave the hackers permission, via the OAuth system, to access the users’ accounts.
“Most internet users might not realize the applications [offered in the emails] are not endorsed and carefully checked by their email provider,” Trend Micro’s Feike Hacquebord wrote.
Once inside the account, the hackers would have unfettered access to their victims’ emails and contacts.
In addition, the OAuth access remained even if users switched off their machine, logged out, or even changed their password.
It is believed that both Google and Yahoo were informed that the system was being abused.
Neither Google nor Yahoo responded to requests for comment.
Full disclosure: the author has given several presentations for Trend Micro on cybersecurity, and has received a fee for this work.