If you saw a Google Docs email from someone you knew, you’d open it, right? And if, having clicked through, Google asked you to log in again, would you think something was wrong?

For countless Gmail users, the answer was no. Yesterday, a sophisticated phishing attack swept through the network, masquerading as a Google Docs permission request. Every time someone followed the prompts, the app would gain access to the user’s contact list and blast out a new round of emails, causing a ripple effect of compromised accounts. According to Google, the attack affected less than 0.1 percent of Gmail users, but that’s still as many as 1 million people. And while the scheme can look simple, it was actually a string of linked spoofs, each made possible by Google’s reassuring presence on a fundamentally open system, and raising serious questions about how the company structures its products.

 

To understand how that happened, we need to take a step-by-step look at how the attack worked. The first thing targets saw was the email, sent with the familiar subject line “Russell has shared a document on Google Docs with you.” (That’s actually closer to the Calendar lingo than Docs, which leads off with the name of the document itself, but clearly it was close enough.) From there, the email presented a line of text (“Russell has invited you to view the following document”) followed by an “Open in Docs” button in the familiar Google blue.

On a technical level, the link is basically a “click here to install my app” button. The only clever part is making it look like something else. Of course, anyone can send an email, and you have near-total control over how that email looks when it arrives in someone’s inbox. You could stop a person from disguising a message in a closed system like an App Store or a private messaging system, but email is an open protocol, just like the web itself.

If you were really clever, you might have looked at the URL before you clicked the link, in which case you would have seen this:

https://accounts.google.com/o/oauth2/auth?client_id=346348828325-vlpb3e70lp89pd823qrcb9jfsmu556t8.apps.googleusercontent.com&scope=https%3A%2F%2Fmail.google.com%2F+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts&immediate=false&include_granted_scopes=true&response_type=token&redirect_uri=https%3A%2F%2Fgoogledocs.g-cloud.pro%2Fg.php&customparam=customparam

That’s unusual — you’d expect it to start with “docs.google.com,” for instance — but it does say “Google” a lot. But then, anyone can host user content on a Google account, so that’s not so hard to arrange.

That brings us to the login page, arguably the cleverest part. It looks exactly like a Google login page because, well, it is. As far as Google is concerned, you’ve chosen to install a third-party extension to your Gmail account and you’re using Google to authorize it, the same way you would for a legitimate extension like Boomerang or Unroll.me. Even though you’re using Gmail (and probably Chrome, too), Google doesn’t control that process. It happens through an open protocol called OAuth, the same system that lets you use your Google Account to log in to Facebook or Twitter. Anyone can make an OAuth application, just like anyone can send an email, and there’s no administrator to kick spammers off the system just because they’re using it for bad things.

This is a core strategy for Google: embracing open protocols and building on top of them until it’s difficult to tell where one ends and the other begins. Versions of that can be seen in almost all the company’s products, most notably Gmail, Adwords, and search, but it’s on particular display here. A company like Apple might have made a special login process for in-house products, but logging into the real Google Docs through OAuth is no different from logging into Joe’s Document Reader. When Google wants to share something, it sends you an email — not a notification or a Google+ pop-up, but an email. That makes it easier to pick and choose your Google services, but it also makes it harder to tell when you’ve ventured outside the Google garden. That confusion was what made the spam attack so effective: it looked like Google, so people trusted it.

In some ways, this was a relatively toothless hack. It was noisy, blasting out millions of emails over the course of a few hours, so administrators were able to spot it early. Since Gmail has the power to blacklist extensions, the system was able to block the phony “Google Docs” extension en masse, and the nature of the attack has already made the spammer himself far more exposed than most malware authors. Because the extension worked through OAuth rather than a new login page, there’s also no indication that any passwords were compromised.

But the deeper weaknesses exploited by the hack are serious, and they’re not going anywhere. Sophisticated hacking groups often use fake login pages as a way to crack accounts — most recently in the Podesta hack — and there’s no easy way to stop them. Dummy apps are a persistent problem on the Google Play Store, and while Google has ongoing efforts to find and ban the apps, there’s no blanket solution. There are real reasons to take this risk: open platforms like email and Oauth are important, particularly for new products and ideas trying to break through without a major company backing them. But as companies and products consolidate, those divisions can leave users confused about what to trust, and Google’s cake-having strategy doesn’t make it any clearer. The result is a system-level security flaw, and one that we won’t be able to close anytime soon.