Google fixed email spoofing flaw 7 hours after public disclosure

Google addressed an email spoofing vulnerability affecting Gmail and G Suite a few hours after it was publicly disclosed.

Google addressed an email spoofing vulnerability affecting its Gmail and G Suite products a few hours after it was publicly disclosed, but the IT giant was ware of the flaw since April.

On Wednesday, the researcher Allison Husain published technical details of the email spoofing vulnerability in a blog post, which also includes a proof-of-concept (PoC) code.

The vulnerability is caused by missing verifications when configuring mail routes. The issue could have been exploited by an attacker to send an email that appears as sent by another Gmail or G Suite user, the message is able to bypass protection mechanisms such as Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC).

“Due to missing verification when configuring mail routes, both Gmail’s and any G Suite customer’s strict DMARC/SPF policy may be subverted by using G Suite’s mail routing rules to relay and grant authenticity to fraudulent messages.” states the post. “This issue is a bug unique to Google which allows an attacker to send mail as any other user or G Suite customer while still passing even the most restrictive SPF and DMARC rules.”

According to Husain, unlike the classic mail spoofing in which the From header is given an arbitrary value, this technique could not be blocked by mail servers using SPF and DMARC.

Email

The researcher used her personal G Suite domain to send an email apparently coming from an @google.com address to a G Suite email account associated with a domain she did not control.

“I am using my personal G Suite domain (mail-relay@ezh.es) to send a seemingly legitimate email from a google.com address to my university’s G Suite email on a domain which I do not control (test@berkeley.edu).” continues the expert. “I chose to send to another G Suite account to demonstrate that Google’s strong mail filtering and anti-spam techniques do not block or detect this attack. Additionally, I chose to impersonate google.com because their DMARC policy is set to p=reject and so any violations of SPF (regardless of the SPF policy) should result in the message simply being dropped with prejudice.”

The attack exploits a bug related to G Suite’s mail routing rules, which an attacker could have subverted to relay and grant authenticity to fraudulent messages.

Husain reported the flaw to Google on April 3, the company acknowledge the issue on April 16 and marked the issue as duplicate on April 21st, 2020.

On August 1, Husain notified Google her intent to publicly disclose the flaw and set disclosure deadline for August 17th (16 days later).

On August 14, Google told her that it would be releasing a patch on September 17, but Husain publicly disclosed the flaw on August 19.

The good news is that Google fixed the issue seven hours after its details were made public.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW

10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase

X