Gmail: Google finally forced to patch serious Gmail bug after exploit published online

Gmail: Google finally forced to patch serious Gmail bug after exploit published online

Gmail: Google finally forced to patch serious Gmail bug after exploit published online

Google knew about the Gmail vulnerability for months before delivering a fix

Google has been forced to remedy a significant security vulnerability present in Gmail and G Suite email servers after an exploit was published online.

The vulnerability could have allowed an attacker to send imitation emails posing as any Gmail or G Suite customer, opening the door to an array of spear phishing and spam-based attacks - which could even be wont to smuggle malware onto the target system.

Google had known about the flaw for 137 days before issuing the fix but dragged its feet until security researcher Allison Husain published a proof-of-concept exploit code to her blog.


  1. Check our list of the simplest email services out there
  2. Here's our list of the simplest email hosting providers around
  3. We've built an inventory of the simplest email clients on the market


Gmail security vulnerability

The now-patched Gmail exploit abused two separate issues which, when combined, could have given hackers the keys to the metaphorical kingdom.

The first bug allowed attackers to send fraudulent emails to an email gateway on the Gmail and G Suite backend, then run a server to wave the e-mail through.

The second flaw created a chance to tweak email routing settings, allowing hackers to forward emails under the guise of any Gmail or G Suite user.

According to Husain, this second bug also meant malicious actors could bypass two highly restrictive email security standards: Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC).

“Due to missing verification when configuring mail routes, both Gmail’s and any G Suite customer’s strict DMARC/SPF policy could also be subverted by using G Suite’s mail routing rules to relay and grant authenticity to fraudulent messages,” explained Husain.

The security researcher claims to possess disclosed the difficulty on April 1 and notified Google of her intent to publish the exploit on Lammas. Once the blog went survive August 19, only seven hours elapsed before Google delivered the fix.

The patch was administered on the backend, which suggests no action is required on the part of Gmail users or G Suite customers so as to guard against attack.




Source URL

Post a Comment

2 Comments