On Wednesday, while several users were struggling to use the services of Gmail, Google dispatched a critical security bug impacting Gmail and G Suite. This security bug could have allowed attackers to send spoofed emails mimicking any G Suite or Gmail user. A security researcher Allison Husain discovered this bug and reported it to Google back in April of this year. According to Husain, this bug could have also allowed threat actors to pass spoofed emails as compliant with Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC). It is noteworthy that SPF and DMARC are the two most advanced email security standards.
You should also note that it took Google 137 days to fix this bug. Initially, the company delayed patches past the disclosure deadline. Google was planning to fix this bug in September of this year. However, on Wednesday, Allison Husain published the details of this bug in a blog post and Google engineers had to change their mind. Husain also published the proof-of-concept exploit code. Although the company was planning to bring a fix for this issue in September, Google deployed mitigations to block any attacks leveraging this bug within seven hours after Husain’s blog post went live. However, final patches will be deployed in September. G Suite and Gmail users do not need to make any changes since the company has deployed the patch at the server-side.
According to the security researcher, this bug was not identical to classic email spoofing that can be blocked using DMARC or SPF standards. Husain wrote in her blog post that this bug is unique to Google that allows attackers to send spoofed emails while still passing the most restrictive rules such as SPF and DMARC. According to the blog post, spoofed emails were less likely to be caught by regular spam filters since they are originating from Google’s backend.
Allison Husain found that the backend structure of Google for enabling G Suite and Gmail services could enable a threat actor to redirect incoming emails and spoof the identity of a person using the ‘Change envelope recipient’ feature. Once exploited, Allison Husain explained that this security bug could send spoofed emails to a gateway on G Suite and Gmail backend using custom routing rules. If it had been left unpatched, this security bug could have allowed spammers to design targeted hacks, and likely, it would have been widely adopted by malware distributors and BEC scammers. The company should have paid more attention to this issue and fixed it before the bug was disclosed.
Read next: Latest Version of Google Chrome for Android Lets You Check for Breached Passwords
You should also note that it took Google 137 days to fix this bug. Initially, the company delayed patches past the disclosure deadline. Google was planning to fix this bug in September of this year. However, on Wednesday, Allison Husain published the details of this bug in a blog post and Google engineers had to change their mind. Husain also published the proof-of-concept exploit code. Although the company was planning to bring a fix for this issue in September, Google deployed mitigations to block any attacks leveraging this bug within seven hours after Husain’s blog post went live. However, final patches will be deployed in September. G Suite and Gmail users do not need to make any changes since the company has deployed the patch at the server-side.
According to the security researcher, this bug was not identical to classic email spoofing that can be blocked using DMARC or SPF standards. Husain wrote in her blog post that this bug is unique to Google that allows attackers to send spoofed emails while still passing the most restrictive rules such as SPF and DMARC. According to the blog post, spoofed emails were less likely to be caught by regular spam filters since they are originating from Google’s backend.
Allison Husain found that the backend structure of Google for enabling G Suite and Gmail services could enable a threat actor to redirect incoming emails and spoof the identity of a person using the ‘Change envelope recipient’ feature. Once exploited, Allison Husain explained that this security bug could send spoofed emails to a gateway on G Suite and Gmail backend using custom routing rules. If it had been left unpatched, this security bug could have allowed spammers to design targeted hacks, and likely, it would have been widely adopted by malware distributors and BEC scammers. The company should have paid more attention to this issue and fixed it before the bug was disclosed.
Read next: Latest Version of Google Chrome for Android Lets You Check for Breached Passwords
