Google G-Suite spotted erecting stiff member vetting tool

科技动态 2017-07-19

Stung byphishing attacks aimed at G Suite users earlier this year, Google has armored its cloud with extra security layers.

Following recent defenses against the dark arts – security key enforcement
, app name vetting
, and OAuth whitelisting – the Chocolate Factory has designed some interface signage to warn G Suite users not to accept web apps and Apps Scripts too hastily.

"Beginning today, we're rolling out an 'unverified app' screen for newly created web applications and Apps Scripts that require verification," said Naveen Agarwal, a member of Google's Identity team, and Wesley Chun, developer advocate for G Suite, in a blog post
. "This new screen replaces the 'error' page that developers and users of unverified web apps receive today."

The "unverified app" screen gets presented before the screen seeking permission to grant a web app access to G Suite data, in order to underscore the risk of consenting to use an app of uncertain provenance. Users may still accept such apps – a flow that requires three affirmative clicks and typing "continue" – but at least they will have been warned.

The "unverified app" screen also helps developers by allowing them to test apps without first going through OAuth verification, a requirement implemented previously in response to abuses.

Apps Script code (by which Google's apps may be automated) that seeks OAuth access to data or information about users in other domains must also wear the "unverified app" scarlet letter. And Google is presenting additional cautionary language that's been added to the pre-OAuth alert and below the URL window to encourage G Suite users to think before trusting applications and scripts.

It's about time. Those interested in app security have been talking about potential Apps Script problems
at least since 2014. In February, security engineer Greg Carson posted PoC code
to demonstrate how the technology can be abused.

The latest protections apply to newly created web apps and Apps Scripts. In the coming months, Google intends to extend them to existing applications and scripts. This may require developers to revisit the Google Cloud Console to go through the verification process. ®

PS:
Google has also launched
a recruitment tool called Hire, another service it will presumably shut down in three years.

您可能感兴趣的

配合iOS 11苹果更新开发者网站新增中文版... 这次的更新对所有开发者来说都是福音,同样的,用户最终也会受益~ 苹果除了带来最新的 iOS 11 beta 10 以外,还更新了自己的开发者网站(developer.apple.com),这次的更新除了加入了大量新的变化以外,还增加了中文、韩语以及日语三种新的语言。 而在...
LiveVideoStackCon 2017 Day 2 专场回顾 —— App 新科技专场... LiveVideoStackCon 2017 Day 2 专场回顾 —— App 新科技专场 多媒体与浏览器专场可戳这里: LiveVideoStackCon 2017 Day 1 专场回顾 —— 多媒体与浏览器专场 。 这篇内容主要针对 App 新科技专场,进行主要...
新浪微博大BUG!长文字自动附链接,跳转色情网... 今日,Bianews发现新浪微博iOS客户端出现大bug,发送的纯长文字微博自动附加网页链接,点击后跳转到了色情网站。 1、长文字生成链接 跳转色情网站 那么,上述情况的出现究竟是微博App自身的问题,还是网络或其他方面的问题呢,Bianews就此进行了分析和验证。 首先,所发微博内容必须...
米家声波电动牙刷体验:刷牙交给我就好... “每天刷牙都有血丝好烦恼。”“换个电动牙刷呗。” “电动牙刷都蛮贵的吧?”“199元就够啦。” “这么便宜刷得干净嘛?”“比手动刷牙还要好。” 你没看错,与市面上动辄上千的电动牙刷不同,你仅需199元就可以体验到其魅力。米家声波电动牙刷没有设置较高的...
我小时候没变成超级英雄,就是因为少了它... 每位超级英雄至少都得有一位 sidekick(同盟副手)。 蝙蝠侠有罗宾,钢铁侠有 Jarvis,神奇女侠有史蒂夫·特雷佛,星爵则有格鲁特等银河护卫队成员支持。 除了因为连超级英雄偶尔也需要帮助来“闯关打怪”外,更重要的是,缺少了好玩的同伴,再刺激的冒险都会...