Google has fixed a security vulnerability affecting Gmail and G Suite email servers. Although the search giant took more than four months to mitigate and finally released a patch on Wednesday, the problem has been identified and reported to Google in April. According to the security researchers who discovered the vulnerability on April 1, it may allow hackers to send spoofed emails on behalf of any Gmail or G Suite user. The discovery of this error can also overcome the issue of Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) rules when sending spoofed emails.
Security researcher Allison Husain publicly disclosed vulnerabilities affecting Gmail and G Suite email servers in a blog post on Wednesday, including proof of concept (PoC). Hussein said that although Google plans to fix it sometime in September, it has decided to fix the vulnerability within seven hours after its release. Google has set a strict 90-day disclosure deadline for its vulnerability discovery “Project Zero” program. Regardless of whether the company has resolved this issue or not, regardless of whether the company has resolved the issue, details of the error will be released at the end of this period information. several times.
According to Husain, the error reported to Google on April 3 is not exactly the same as classic email spoofing, which can easily be blocked by email servers that use SPF and DMARC standards. Hussein said: “This problem is a Google-specific error. It allows an attacker to send mail like other users or G Suite customers, while still passing the strictest SPF and DMARC rules.”
Security researchers have discovered that the back-end structure Google uses to enable Gmail and G Suite services can allow attackers to use a native feature called “change envelope recipient” to redirect incoming emails and deceive any user’s identity. Hussein also discovered that once the vulnerability is exploited, custom mail routing rules can be used to overcome traditional SPF and DMARC checks to send deceptive emails to email gateways on Gmail and G Suite.
Hussein said: “By linking the broken recipient verification in the G Suite mail verification rules with the inbound gateway, I was able to make the Google backend resend any mail from any domain that was spoofed when the mail was received. “Hussein said. “If the attacker intends to impersonate the victim also using Gmail or G Suite, this is beneficial to the attacker, because it means that the mail sent by the Google backend will pass SPF and DMARC at the same time, because by the nature of using G Suite, they The domain of will be configured to allow Google’s backend to send mail from its domain.”
Hussein added that since deceptive emails come from Google’s backend, they are unlikely to be caught by regular spam filters.
It is worth noting that, as said by Catalin Cimpanu of ZDNet, Google has deployed patches on the server side. Therefore, users on Gmail and G Suite do not need to make any changes from scratch.
In 2020, will WhatsApp gain the killer feature that every Indian is waiting for? We discuss this on the weekly technical podcast Orbital, you can subscribe via Apple Podcast or RSS, download the episode or just click the play button below.