Oddbean new post about | logout
 !!! Warning:
"Hackers abuse Google sheets to impersonate tax authorities"

If the government emails you asking for money, I can finally legally advise you (for security purposes) to ignore them.

There's a new 0-day in negligent Google sheets that is YET ANOTHER reason to completely abandon their invasive Workspaces.  The bug allows hackers to remotely mass email, by enabling a Python script to masquerade as a PDF on Windows, from Google sheets. [1][2]  Hackers have been abusing this to impersonate government officials and ravage private businesses in many countries.  And since use of their Workspace products is so common among many institutions, this has serious risks for stolen funds (on top of regularly scheduled government theft).

According to Bleeping Computer, "Google Sheets is used as a command and control server, pinging it to get new commands to execute on the infected device and as a repository for stolen data". [2]  This is surprising to see this type of attack has not been fixed, given that a year ago Chinese hackers abused Google Sheets as a command and control in a similar way. [4]

Not only is it the government, but hackers are also targeting insurance, aerospace, transportation, academia, finance, technology, industrial, healthcare, automotive, hospitality, energy, media, manufacturing, telecom, and social benefit organizations. [1]

The Google sheets bug is only able work if you're using Microsoft Windows.  Ironically, Google came under heat a year ago for trying to have Chrome force the operating system to attest that it's a "secure environment" (called Web Environment Integrity API) [3], which would lock Linux users out of many services as there's no company to verify identities.

But now, ironically Google sheets is only vulnerable on what they told us was the secure environment of Windows.  Just imagine if Chrome's plans to haze Linux had went through, how much worse this current situation would be.

So I once again urge you to transition to Linux.  And:
For your safety, please ignore emails from governments

Sources: https://simplifiedprivacy.com/google-sheets/hacked.html