Google has patched a security bug that was impacting both Gmail and G Suite email servers. The issue was identified and reported to Google in April, though the search giant took over four months in mitigation and ultimately released a patch on Wednesday. According to the security researcher who discovered the bug on April 1, it could have allowed hackers to send spoofed emails on behalf of any Gmail or G Suite users. The bug was also found to overcome Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) rules while sending spoofed emails.
Security researcher Allison Husain publicly disclosed the bug impacting Gmail and G Suite email servers through a blog post on Wednesday that included a proof-of-concept (PoC). Husain said that although Google was planning to bring a fix sometime in September, it decided to patch the flaw within seven hours after it was made public. Google itself imposes a strict 90-day disclosure deadline for its bug-finding Project Zero initiative, publishing details about a bug at the end of the period regardless of whether the company has a fix for the issue — something Microsoft has learnt the hard way on several occasions.
As per Husain, the bug that was reported to Google on April 3 wasn’t identical to the classic email spoofing that can easily be blocked by email servers using SPF and DMARC standards. “This issue is a bug unique to Google which allows an attacker to send mail as any other user or G Suite customer while still passing even the most restrictive SPF and DMARC rules,” said Husain.
The security researcher found that Google’s backend structure for enabling Gmail and G Suite services could allow an attacker to redirect incoming emails and spoof the identity of any user using a native feature called “Change envelope recipient.” Husain also found that once exploited, the bug could send spoofed emails to an email gateway on Gmail and G Suite using custom mail routing rules and by overcoming the traditional SPF and DMARC checks.
“By chaining together both the broken recipient validation in G Suite’s mail validation rules and an inbound gateway, I was able to cause Google’s backend to resend mail for any domain which was clearly spoofed when it was received,” said Husain. “This is advantageous for an attacker if the victim they intend to impersonate also uses Gmail or G Suite because it means the message sent by Google’s backend will pass both SPF and DMARC as their domain will, by nature of using G Suite, be configured to allow Google’s backend to send mail from their domain.”
Husain added that since the spoofed emails were originating from Google’s backend, they weren’t likely to be caught by regular spam filters.
It is important to note that Google has deployed the patch at the server side, as noted by Catalin Cimpanu of ZDNet. Thus, users on Gmail and G Suite aren’t required to make any changes from their end.
In 2020, will WhatsApp get the killer feature that every Indian is waiting for? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.