Google phishing plugin security google docs worm – Breaking News & Latest Updates 2026
Skip to main content
The homepageThe VergeThe Verge logo.
The homepageThe VergeThe Verge logo.

Google rolls out new protections against phishing plugins

Another response to the Google Docs worm in May

Another response to the Google Docs worm in May

by

Google is making it even harder to accidentally install a malicious plugin. Today, the company announced new changes to the way Google services handle plugins, adding new warnings for users and a more involved verification system for apps. The result is more scrutiny on apps plugging into Google services, and more active involvement from Google when an app seems suspicious.

The changes come after a sophisticated phishing worm hit Google Drive users in May, masquerading as an invitation to collaborate on a document. The malicious plugin was not controlled by Google, but because it was named “Google Docs,” the app was able to fool many users into granting access. Once granted access, it sent a new request to everyone in the target’s contact list, allowing the app to spread virally. Ultimately, the app was blacklisted by Google, but not before it reached tens of thousands of users.

Google’s new app verification screen
Google’s new app verification screen.

Today, such an attack would be much harder to perform. Shortly after the worm, Google strengthened its developer registration systems, making it harder for anonymous actors to plug unknown apps into Google accounts. The announcement today takes that system even farther, warning users whenever an unverified app requests access to user data.

Malicious or compromised plugins remain a significant security risk for Google and other platforms, as a string of recent incidents have demonstrated. The security group OurMine has specialized in those attacks, posting false messages from accounts controlled by Sundar Pichai, Jack Dorsey, and Sony Music, which tweeted a false report of Britney Spears’ death.

In each case, OurMine gained access by compromising a third-party application which was authorized to post to the targeted account. An active social media user might have hundreds of plugins authorized to access their Twitter or Facebook account, giving hackers hundreds of potential ways in. Users can protect against these attacks by monitoring authorized applications, and revoking access for any apps they no longer use.

Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.

Most Popular

Most Popular
  1. Elon Musk’s worst enemy in court is Elon Musk
  2. Your PS5 can now transform into a Linux PC
  3. Microsoft is giving its Xbox employees an Xbox email address
  4. Motorola just revealed the Razr Fold’s price and hoo boy
  5. Larry’s risky business

More in Tech

PlayStation now requires a ‘one-time online check’ to confirm you own a gamePlayStation now requires a ‘one-time online check’ to confirm you own a game
Elon Musk’s worst enemy in court is Elon MuskElon Musk’s worst enemy in court is Elon Musk
Microsoft reports sinking Xbox revenue as its cloud business climbsMicrosoft reports sinking Xbox revenue as its cloud business climbs
Google Search queries hit an ‘all time high’ last quarterGoogle Search queries hit an ‘all time high’ last quarter
All the evidence unveiled so far in Musk v. AltmanAll the evidence unveiled so far in Musk v. Altman
Ubuntu’s AI plans have Linux users looking for a ‘kill switch’Ubuntu’s AI plans have Linux users looking for a ‘kill switch’

Top Stories