Gmail: a major flaw allowed hackers to impersonate any user

A security researcher has just revealed a major flaw affecting Gmail’s servers for several months. It allowed hackers to send spoofed emails to the address of any account.

While Gmail users struggled to use the service for several hours yesterday, Google meanwhile patched a critical vulnerability that had nothing to do with the global outage. According to security researcher Allison Husain, who has found and reported the vulnerability to Google since April, it allowed hackers to spoof a Gmail or G Suite account while bypassing security protocols that protect users.

What is this Gmail flaw?

Security protocols allow domain operators to associate their domain names with specific IP addresses. This allows receiving mail servers to spot any attempted spoofing by comparing the outgoing mail server’s IP to a list of allowed IPs. If the sender’s IP address is not on the list, the mail server can reject the message and prevent fraudulent e-mails from reaching users’ inboxes.

Domain authentication is provided by the Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) security standards. The researcher has published a proof of concept that shows how it is possible to circumvent these protocols by abusing a flaw in the validation rules of Gmail and G Suite to send a spoofed email from Google’s back-end so that the servers mailbox of the receiver authenticate it.

“In addition, the message coming from the back-end of Google, it is likely that its spam score is even lower, and that it is therefore even less filtered”, adds Allison Husain who specifies that the two vulnerabilities are specific to Google only.

Google rolled out a fix after more than 4 months

The researcher said she informed Google of the bug in April, but for unknown  reasons, the firm did not deploy a fix until hours after the report was released on August 19. Yet it is a major flaw that could have been exploited by attackers or spammers to conduct fraud campaigns with detrimental consequences for the victims. Google’s mitigation measures have been deployed on the server side, which means Gmail and G Suite customers don’t have to do anything to protect themselves.

Leave a Reply