A New Phishing Technique Bypasses Gmail Security: Vulnerability Found in Google OAuth

A highly sophisticated phishing attack exploiting a vulnerability in Google’s OAuth system has been uncovered. This attack successfully bypasses Gmail’s security filters and authentication mechanisms, appearing completely legitimate to users — the emails seem to come from official Google domains and pass all security checks, including DKIM (DomainKeys Identified Mail) verification.

Ethereum Name Service (ENS) developer Nick Johnson revealed that he had fallen victim to this threat. He wrote the following on the social network X (formerly Twitter):

“I was recently targeted by an extremely sophisticated phishing attack. It exploits a vulnerability in Google’s infrastructure. Considering Google’s refusal to fix the issue, I believe such attacks will become even more common.”

The attack is technically complex and employs a method known as a “DKIM replay attack” — which involves the reuse of legitimate, DKIM-signed messages. Unlike traditional phishing attempts that rely on fake login pages, this technique manipulates the actual OAuth authorization process.

How the attack works:

The attack unfolds in the following steps:

1. The attackers register their own domain and create a Google account with a username like “me@domain”.
2. They then register a Google OAuth application with a phishing message embedded in the app’s name.
3. After granting the app access to their email, Google automatically sends a security alert to the attacker’s inbox.
4. This message — signed with Google’s genuine DKIM key — is then forwarded to potential victims.
5. The email comes from “no-reply@google[.]com” and passes all standard verification checks.

In Johnson’s case, the message claimed that a subpoena had been issued to Google LLC requiring the release of his account data, complete with an official-looking case number.

The email included a link to a phishing site hosted on sites.google.com, but in reality, it redirected users to a fake login page mimicking Google’s interface in order to steal credentials.

Google Acknowledges the Threat

Google has confirmed that it is aware of this phishing campaign and acknowledged that attackers are creatively abusing OAuth and DKIM mechanisms. The company stated that it is working on a fix and expects a full solution to be deployed soon.

Later, Nick Johnson updated his followers:

“Google has changed its stance and decided to fix the OAuth vulnerability!”

Recommendations for Users

Cybersecurity experts strongly advise users to take the following precautions:

• Enable two-factor authentication (2FA);
• Use passkey technology where available;
• Be cautious with emails — even those that appear to come from trusted sources.

In particular, users should be wary of any message asking for login credentials or account verification. Today’s phishing campaigns go beyond fake websites — attackers are now skillfully exploiting trusted systems like OAuth 2.0.