It seems Google Docs was reportedly hit today by a new scam which had the potential to spread extremely quickly. However, it also seems as though Google was fairly fast to respond as the current status doing the rounds on social media is that the issue has now been fixed. At least, in a temporary capacity. So while this is something worth knowing about, it is apparently not something that you have to still be concerned about.
The way the scam worked is by users receiving a Google Docs link via an email. The link appeared much like a Google Docs link would and there does not seem to be any obvious signs that it is a scam at this stage. In fact, what made the scam so much more effective is that the emails were coming from known senders. So there was no reason to necessarily doubt the email or its contents. However, once clicking on the link, the email recipient would be redirected to a Google login page (to obviously allow the user to select an account to view the Doc), along with a permissions page asking for certain permissions for Google Docs – like reading emails and accessing contacts. Which seems to be the one (and really, only) point at which the average user might notice that things are not right – as Google Docs does not require such permissions, it already has them. Either way, once granted, the scam had been complete and those behind the email will have gained access to the user’s full email history and contacts. At which point, the scam takes on its second life by starting the process again and sending emails to everyone the user has as a contact (or reportedly has ever emailed) with of course, the latest victim as the sender.
As mentioned though, it does currently seem as though the issue has now been resolved. At least, this is what is being reported with the details explaining that Google has deactivated oauth client privileges. Which is likely a short term fix for the issue, but a fix nonetheless. This also does likely mean that such an email still might arrive in your inbox and containing the scam link, with the difference being that clicking on that link will not allow the rinse and repeat process of the scam to continue. It will just be a dead link. Although in either case, email recipients should avoid clicking the link anyway.