Google repaired a critical bug affecting Gmail and G Suite that would have allowed attackers to send fake malicious emails like any other Google user or business entity.
According to security researcher Allison Husain, who discovered the security issue caused by a lack of authentication when configuring email routes, “both Gmail and any strict G Suite customers’ DMARC / SPF client can be subverted using G Suite rules for e-mail. -postrouting to give relevance and authenticity to fraudulent messages. “
Abuse Google’s own backend to add authenticity
This issue was caused by “missing verification when configuring email routes” as detailed by security researcher Allison Husain who discovered the bug and reported it to Google on April 3, 2020.
To exploit this bug to send authentic spoofed emails that can pass through both SPF and DMARC, attackers would have to exploit a broken recipient issue in Google’s email validation rules and use an incoming email port to get the message from Re-launch Google’s backend so that downstream mail servers would trust it automatically.
“This is beneficial for an attacker if the victim they intend to personalize also uses Gmail or G Suite, because it means that the message sent by Google’s backend will pass on both SPF and DMARC, because their domain , according to the nature of use of G Suite, will be configured to allow Google’s backend email from its domain, “Husain explained.
“Moreover, since the message comes from Google’s backend, it’s also likely that the message has a lower spam score and therefore should be filtered less often.”
Delayed for 137 days, patched within 7 hours of disclosure
As shown in the timeline of publication published by Husain, Google accepted the issue on April 16, but classified it as a priority 2, pregnancy 2 bug, and later marked it as a duplicate.
When the investigator informed the company that the bug will be revealed on August 17, Google said a fix is being developed with an estimated time of release of September 17.
Although Google normally gives vendors a 90-day time frame to address any bugs that their researchers find and report before it is made public, it successfully fixes the issue reported by Husain for 137 days.
After the researcher published the findings on August 19 (two days after the deadline for disclosure), Google launched Google “mitigations based on back-path modification and anti-abuse mechanisms” within seven hours of Husain’s blog post.
“[W]within seven hours of this post going live, the issue was patched, “Husain said in an update to the blog post that revealed the email spoofing bug affecting both Gmail and G Suite.
