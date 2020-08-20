Breaking
A dangerous bug discovered by a security researcher this spring could have allowed attackers to abuse Google’s Gmail service. If properly exploited, bogus emails could be sent from real Gmail addresses.

These so-called spoofing attacks allow cybercriminals to make contact with potential victims from trusted email address or provide a convenient way to cover their tracks.

Email has been around for a long, long time. It hasn’t always been a terribly secure way to communicate, but there have been numerous improvements in recent years.

SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting and Conformance) were introduced to make it harder for bad actors to send spoofed emails. A sender’s email must pass checks from the domain’s mail server before a message can be sent.

Gmail has supported both SPF and DMARC for some time. The bug discovered by Allison Hussain, however, would have allowed an attacker to bypass those checks and send forged emails.

To prove her point, that’s exactly what Hussain did. She sent a test mail from a Google.com email address to a mailbox that she knew was also hosted by Google.

It should have been doubly hard for the spoofed email to make it through Google’s filters, yet it sailed right past. Hussain’s test arrived right in the test inbox alongside other legitimate emails.

She was able to circumvent Google’s email checks by using features available to G Suite administrators. Hussain created email processing rules that took inbound forged messages and effectively turned them into legitimate messages that Gmail would send on to “victims.”

Hussain disclosed the bug to Google in early April. August first rolled around and she still hadn’t heard anything back regarding a fix, so she sent notice that she intended to publish her findings.

When Google responded that mitigations wouldn’t be in place until mid-September Hussain waited a few more days and then posted to her personal blog. Within hours of the post going live, Google had fast-tracked the fix and shut down this dangerous email forgery loophole.

