Google has confirmed that Gmail users were sent erroneous security messages
Update below 06/05. This post was originally published on June 3
Gmail’s security has always been one of its biggest selling points, but now one of its most important new security features is being actively used by hackers to scam users.
Gmail’s new blue checkmark sender verification system — it should work
Introduced last month, the Gmail checkmark setting Highlight verified organizations and companies to users with a blue verification icon. The idea is to help users identify which emails are legitimate and which are sent by impersonators involved in scams. Unfortunately, fraudsters have tricked the system.
Fraudsters Hacking Gmail’s New Sender Verification System
Invented by Cyber Security Engineer Chris Plummer, fraudsters have found a way to trick Gmail into believing their fake brands are legitimate. Gmail uses the checkmark system to instill trust against users.
“The sender found a way to spoof @gmail’s authentication stamp, which end users are going to trust,” explains Plummer. “The message went from the Facebook account, to UK NetBlock, to O365, to me. Nothing about it is formal. ”
Plummer reports that Google dismissed his discovery as “purposeful behavior,” his tweet about which went viral, and the company acknowledged the error. In a statement to Plummer, Google wrote:
“After looking closely we realized that this actually doesn’t seem to be a common SPF vulnerability. So we’re reopening this, and the appropriate team is keeping a close eye on what’s going on.
Again we apologize for the confusion, we understand that our initial response may have been disappointing, and thank you very much for pushing us to look into this!
We will let you know our assessment and the direction this issue takes.
Regards, Google Security Team”
Plummer Highlights Google has now listed this flaw as a ‘P1’ (priority) fix, which is currently “in progress”.
Plummer’s enormous credit goes not just to his invention, but to how far he went to get Google to admit the problem. Until Google fixes it, Gmail’s checkmark verification system is broken, and hackers and spammers are using it to trick you into doing exactly what you’re fighting against. Be alert.
06/05 Update: Security researchers are beginning to understand how Gmail’s checkmark verification system is being fooled and how it applies to other email services. A BlogDebugger Jonathan Rutenberg revealed that he was able to replicate the hack in Gmail, explaining:
“Gmail BIMI implementation only required SPF To suit, the DKIM signature Can be from any domain. This means that a shared or misconfigured mail server in the SPF records of a BIMI-enabled domain can be a vector for sending spoofed messages with the full BIMI ✅ treatment in Gmail…
BIM is worse than the current state because it enables super-powered phishing based on a flawed architecture at the most complex and vulnerable layer of email.
Rutenberg published results for BIMI implementations in other major email services.
- iCloud: Correctly verifies that DKIM matches the From domain
- Yahoo: Connects only bulk-shipped BIMI treatment with high reputation
- Fastmail: Vulnerable but supports Gravatar and uses the same treatment for both, so vulnerability is minimal
- Apple Mail + Fastmail: Vulnerable to Dangerous Treatment
Yes, this means Apple Mail and Fastmail users should also be aware, although they don’t have the verified checkmark system enabled like Gmail. The vulnerability has received a very critical response from the security community, raising questions about how it happened and how poorly Gmail’s verification system was implemented. Google needs a fix soon.
___
Follow Gordon Facebook
More at Forbes
