A phishing campaign has compromised 30,000 Facebook accounts by exploiting Google AppSheet. Attackers created no-code applications that appeared legitimate, tricking users into granting dangerous permissions. Through fake Facebook emails and notifications, victims clicked on links that stole credentials and took control of their profiles, exposing sensitive data.
Abuse of no-code platforms as an attack vector 🛡️
Google AppSheet allows creating apps without coding, but its legitimate use was distorted. Attackers designed interfaces that mimicked Facebook, requesting OAuth permissions to access profiles, messages, and session tokens. Since the apps were hosted on Google's infrastructure, they bypassed basic security filters. Credential theft occurred in the background while the victim believed they were interacting with an official page.
Even giving away no-code apps doesn't save you from phishing 😅
It turns out that even with tools to create apps without knowing code, you can't escape scammers. Now fraudsters also use no-code to appear more modern and professional. 30,000 people fell into the trap because the fake app had Google's seal, as if that were a guarantee of purity. Phishing has evolved: it's no longer just a Nigerian prince, now it's an app that promises to make your life easier while emptying your profile.