Gmail users have been warned about a serious vulnerability that Google knew about for months before at last delivering a fix. The terrifying flaw sounds like a scammer’s dream – and a consumer’s nightmare – as it could have allowed a bad actor to impersonate any Gmail or G Suite user. Oftentimes with phishing scams or attempts to spread malware by e-mail the giveaway to a recipient is the sender’s e-mail address.
At first glance it may seem that an e-mail, such as one asking you to pay for a subscription that’s about to expire, is legitimate – but then you’ll spot the e-mail address it is sent from isn’t genuine.
Oftentimes the message will come from a domain that almost matches an official one but isn’t quite the same.
But this latest Gmail vulnerability would have allowed bad actors to make it seem like an e-mail was being sent from any address, bypassing the one giveaway that often puts users on alert to a scam.
The vulnerability was discovered by researcher Allison Husain, who explained scammers could even push out e-mails which seemed like it had come directly from the White House.
In a blog post Husain wrote: “Due to missing verification when configuring mail routes, both Gmail’s and any G Suite customer’s strict DMARC/SPF policy may be subverted by using G Suite’s mail routing rules to relay and grant authenticity to fraudulent messages.
“This is notably not the same as classic mail spoofing of yesteryear in which the From header is given an arbitrary value, a technique which is easily blocked by mail servers using the Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC).
“This issue is a bug unique to Google which allows an attacker to send mail as any other user or G Suite customer while still passing even the most restrictive SPF and DMARC rules.”
Husain went onto add: “Email is ancient technology-wise and comes from an era where the internet was nothing more than research universities and government labs. This was a point in time where if someone was misusing a computer, you’d be able to call them or their supervisor and personally tell them off. As the internet grew and more adversaries found their way online, however, very trusting and insecure systems like email needed to evolve.
“One of email’s growing pains was that both the content and sender of messages are entirely unauthenticated by default. This means that when a message was received by a mail server, there was no clear way to be sure that the message actually originated from the address it claims. In other words, anyone at all could claim they have a message from [email protected] and mail servers would have few formal or rigorous means to call their bluff. This of course was an enormous problem due to phishing and scams as users, for better or for worse, trust and rely on email domains to be sure they’re talking to who they think they are.”
The security researcher said they initially discovered the Gmail issue on April 1 and reported it to Google on April 3.
Husain claims Google accepted the issue on April 16 and classified it as a priority 2, severity 2 bug.
But it was only months later that a fix was rolled out, with a patch being released seven hours after Husain published a blog post outlining the vulnerability on August 19.
Source: Read Full Article