#BugAlert: Gmail bug allowed sending fake emails from real accounts
Gmail has been having a really bad time lately. Just yesterday, the Google-owned service dealt with its second major outage in two months and drew flak from millions of users around the world. Now, a security researcher has revealed that it also carried a dangerous bug, one that opened a way for email spoofing. Here's all you need to know about it.
Bogus emails from real accounts
Discovered by Allison Hussain, the issue tied to weakness in email routing rules and allowed sending bogus emails from legitimate Gmail addresses. This kind of attack could easily be used by cybercriminals to pose as a known person and trick an unsuspecting individual into a scam. For instance, they may send you a fake email asking for money using the address of your friend.
Bypassed major security standards
Hussain found that the issue bypassed the advanced security protocols Google had implemented to prevent spoofing. Currently, Gmail uses Sender Policy Framework and Domain-based Message Authentication, Reporting, and Conformance to compare the sender's IP address to a pre-approved list of IPs from the domain's mail server. An email is successfully sent/received only when the IPs match, but here, the message skipped the checks altogether.
Test confirmed the bypassing attack
To test the bug, Hussain used her personal G Suite domain to send an email from a @google.com address to a G Suite email account on a domain she did not control. Normally, the message, from a different IP address, should have been stopped by the DMARC and SPF protocols, but the message went through without any hiccup and landed in the targeted mailbox.
Google deployed mitigations, only months after being informed
Hussain discovered and reported the dangerous flaw in April, but Google remained silent. When the researcher contacted the company, it responded that the fix is due to be released in September. So, she decided to make the bug public, prompting Google to take action sooner than planned by deploying mitigations to prevent any email forgery attacks.