A phishing campaign has compromised 30,000 Facebook accounts by exploiting Google AppSheet. The attackers created no-code applications that simulated being legitimate, tricking users into granting dangerous permissions. Through fake Facebook emails and notifications, victims accessed links that stole credentials and took control of their profiles, exposing sensitive data.
The abuse of no-code platforms as an attack vector 🛡️
Google AppSheet allows creating apps without programming, but its legitimate use was distorted. The attackers designed interfaces that mimicked Facebook, requesting OAuth permissions to access profiles, messages, and session tokens. By being hosted on Google's infrastructure, they bypassed basic security filters. Credential theft was executed in the background, while the victim believed they were interacting with an official page.
Not even giving away no-code apps saves you from phishing 😅
It turns out that even with tools to create apps without knowing code, you are not safe from scammers. Now fraudsters also use no-code to appear more modern and professional. 30,000 people fell into the trap because the fake app had Google's seal, as if that were a guarantee of purity. Phishing has evolved: it's no longer just a Nigerian prince, now it's an app that promises to make your life easier while emptying your profile.