Update 5/6 below. This article was originally published on June 3
Gmail’s security has always been one of its biggest selling points, but today one of the hottest new security features is being actively used by hackers to trick users.
submitted last month, Gmail’s checkmark system highlights verified businesses and organizations for users with a blue checkmark. The idea is to help users distinguish legitimate emails from those that could be sent by scammers. Unfortunately, the crooks tricked the system.
Supervised by a cybersecurity engineer Chris PlumerScammers have found a way to convince Gmail that their fake brands are legit. And in doing so, using the confidence that the tick system is supposed to inspire in Gmail users.
“The sender found a way to impersonate Gmail’s trusted seal of approval, which end users will trust,” Plummer explains. “This message went from the Facebook account to the UK netblock, to O365, to me. Nothing about it is legit. »
Plummer reports that Google initially dismissed his finding as “intentional behavior” before his tweets about it went viral, and the company acknowledged the error. In a statement to Plummer, Google wrote:
“After taking a closer look, we realized that this did not look like a general weakness of the SPF. So we’re reopening that, and the appropriate team is taking a closer look at what’s going on. »
We again apologize for the confusion and understand that our initial response may have been frustrating, thank you so much for pressuring us to take a closer look!
We will keep you updated on our assessment and where this issue is headed.
Sincerely, Google Security Team »
Plummer Strong points Google has now listed the bug as a “P1” (high priority) fix, which is currently “in progress.”
Much credit goes to Plummer, not only for discovering it, but also for his efforts to get Google to recognize the problem. However, until Google fixes it, Gmail’s tick check system remains flawed, and hackers and spammers are using it to trick you into the exact thing it was supposed to fight. Be careful.
Update 06/05: Security researchers are beginning to understand how Gmail’s checkmark verification system is tricked and how it applies to other email services. In blog postDebugger Jonathan Rudenberg revealed that he was able to reproduce the hack on Gmail, stating:
gmail BIMI implementation only requires FPS match DKIM-signing It can come from any field. This means that any subscribed or misconfigured mail server in a BIMI-enabled domain’s SPF records can be a vector for impersonation using Gmail’s full BIMI management…
BIMI is worse than the status quo because it enables extremely powerful phishing based on a single misconfiguration in a very complex and fragile email package.
Rudenberg also posted the results of BIMI implementations on other major messaging services, saying:
- iCloud: correctly verifies that DKIM matches the domain of
- Yahoo: BIMI only deals with highly reputable bulk messages
- Fastmail: Poor but also supports Gravatar and uses the same processing for both so the effect is minimal
- Apple Mail + Fastmail: vulnerable to dangerous treatment
Yes, that means Apple Mail and Fastmail users should also be on the lookout, even though they don’t use the same tick system as Gmail. There has been a very critical response to this vulnerability from the security community, with questions raised about how this could have happened and Gmail’s poor verification method implementation. Google needs a fix ASAP.
Follow Gordon on Facebook
Learn more about Forbes