Google has confirmed that incorrect security messages have been sent to Gmail users
SOPA Images/LightRocket via Getty Images
06/05 update below. This post was originally published on June 3rd
Gmail’s security has always been one of its biggest selling points, but now one of its key new security features is being actively used by hackers to scam users
Gmail’s new blue tick sender verification system – how it should work
ADVERTISING
Launched last month, the Gmail tick system marks verified businesses and organizations with a blue tick for users. The idea is to help users identify which emails are legitimate and which may have been sent by scammers running scammers. Unfortunately scammers have tricked the system.
Scammers hack Gmail’s new sender verification system
Chris Plummer
Scammers were discovered by cybersecurity engineer Chris Plummer and found a way to convince Gmail that their fake brands are legitimate. This leverages the trust that the tick system is designed to instill in Gmail users.
ADVERTISING
“The sender found a way to fool @gmail’s authoritative seal of approval, which end users will trust,” explains Plummer. “This message went from a Facebook account to a UK network block, to O365 and to me. There is nothing legitimate about that.”
Plummer reports that Google initially dismissed its discovery as “designed behavior” before its tweets about it went viral and the company acknowledged the mistake. In a statement to Plummer, Google wrote:
“On closer inspection, we found that it was in fact not a generic SPF vulnerability. Therefore, we reopen the matter and the responsible team takes a closer look at the processes.
ADVERTISING
We apologize again for the confusion and understand that our initial response may have been frustrating. Thanks for pushing us to take a closer look! We will keep you informed of our assessment and the direction this issue is taking. Greetings, Google Security Team”
ADVERTISING
Plummer notes that Google has now listed the bug as a “P1” (top priority) fix, which is currently “in progress.”
Great credit goes to Plummer, not only for his discovery, but also for the efforts he made to get Google to acknowledge the problem. However, until Google finds a fix, the Gmail tick verification system will remain broken and will be used by hackers and spammers to fool you with exactly what it’s supposed to be working against. Stay alert.
6/5 Update: Security researchers are beginning to understand how Gmail’s tick verification system is tricked and how it applies to other email services. In a blog post, debugger Jonathan Rudenberg revealed that he was able to reproduce the hack on Gmail, stating:
ADVERTISING
“Gmail’s BIMI implementation only requires SPF compliance, the DKIM signature can come from any domain. This means that any shared or misconfigured mail server in the SPF records of a BIMI enabled domain can be a vector for sending fake messages with full BIMI ✅ treatment in Gmail…
BIMI is worse than the status quo as it enables high-performing phishing based on a single misconfiguration in the extremely complicated and fragile email stack.”
ADVERTISING
Rudenberg also published results for BIMI implementations at other major email services, stating:
iCloud: Properly checks if DKIM matches From domain. Yahoo: only adds BIMI treatment to bulk mail with high reputation. Fastmail: Vulnerable, but also supports Gravatar and uses the same treatment for both, so impact is minimal. Apple Mail + Fastmail: vulnerable with a dangerous treatment
Yes, that means Apple Mail and Fastmail users need to be vigilant too, although they don’t use the same verified tick system as Gmail. The security community has been extremely critical of this vulnerability, raising questions about how this happened and how poorly implemented the Gmail verification method is. Google needs a fix asap.
___
Follow Gordon on Facebook
ADVERTISING
More about Forbes
MORE FROM FORBES: Google fixes second zero-day Chrome vulnerability in a week by Gordon Kelly
