PANews reported on April 17 that according to Bitcoin.com, ENS lead developer Nick Johnson revealed a sophisticated phishing attack that exploited vulnerabilities in Google's system, especially the recently fixed OAuth vulnerability. According to Johnson, the attacker first sent a fraudulent email that appeared to be from Google's legal department, falsely claiming that the recipient's account was involved in a subpoena investigation. These emails carry a real DKIM digital signature and are sent from Google's official no-reply domain name, so they can easily bypass Gmail's spam filters. Johnson pointed out that the credibility of the scam was greatly increased by a sites.google.com hyperlink to a fake support portal. This fake Google login page exposes two major security vulnerabilities: one is that the Google Sites platform allows the execution of arbitrary scripts, allowing criminals to create pages that steal credentials; the second is that the OAuth protocol itself has flaws.

Johnson condemned Google for initially treating the vulnerability as "as intended by design" and stressed that the vulnerability posed a serious threat. Worse, the fake portal used the trusted domain name sites.google.com as a cover, greatly reducing users' vigilance. In addition, Google Sites's abuse reporting mechanism was imperfect, making it difficult for illegal pages to be closed in time. Under public pressure, Google finally admitted that there was a problem. Johnson later confirmed that Google plans to fix the flaw in the OAuth protocol. Security experts remind users to be vigilant, be skeptical of any unexpected legal documents, and carefully verify the authenticity of the URL before entering credentials.