Google on Wednesday patched a major security flaw affecting Gmail and G Suite’s email servers.
The bug could send a threatening actor spoof emails that mimic any Gmail or G Suite customer.
According to security researcher Allison Husain, who discovered this problem in April and reported it to Google, the bug also allowed attackers to forward the spam emails as compatible with SPF (Sender Policy Framework) and DMARC (domain-based message verification, reporting and conformation) ), two of the most advanced email security standards.
Google has delayed patches despite a four-month heads-up
Despite 137 days to resolve the reported issue, Google first delayed patches beyond the deadline for disclosure, and plans to fix the bug somewhere in September.
Google engineers changed their minds yesterday after Husain published details about the breach on their blog, including proof-of-concept exploit code.
Seven hours after the blog post went live, Google told Husain that they were deploying mitigations to block any attacks using the reported issue, while waiting for final patches to be deployed in September.
In retrospect, yesterday’s babble patch snafu is a common occurrence in the tech sector, where many companies and their security teams do not always fully understand the seriousness and consequences of not patching a vulnerability down to details about that flaw. become public, and they stand to be exploited.
How the bug (G Suite) worked
As for the bug itself, the problem is actually a combination of two factors, as Husain explains in her blog post.
The first is a bug that could allow an attacker to send spoofed emails to an email port on the backend of Gmail and G Suite.
The attacker could run / lease a malicious e-mail server on the backend of Gmail and G Suite, allow this e-mail, and then use the second break.
With this second bug, attackers can set up custom email routing rules that take and forward incoming mail, while also cheating the identity of each Gmail or G Suite customer using their own Gmail / G Suite function named “Change Envelope Receiver.”
The advantage of using this email forwarding feature is that Gmail / G Suite also validates spoofed forwarded email against SPF and DMARC security standards, and helps attackers authenticate the fake message. See Husain’s chart below for a breakdown of how the two bugs can be combined.
Image: Allison Husain
“In addition, because the message comes from Google’s backend, it’s also likely that the message has a lower spam score and therefore should be filtered less often,” Husain said, while also pointing out that the two bugs are only unique for Google.
If the breach was left unpatched, ZDNet has no doubt that the exploitation would likely be widely accepted by email spam groups, BEC scammers, and malware distributors.
Wrap up @ezhes_ s work, using a domain owned by attackers you can abuse G Suite’s Standard Routing & Inbound Gateway settings to spoof ANY other G Suite domain and pass SPF / DMARC. So you can personalize Larry Page, Intuit, as my grandmother’s gmail. It is in BEC gold mine (2 / n)
– Josh Kamdjou (@jkamdjou) August 20, 2020
Google’s mitigations are server-side deployments, which means that Gmail and G Suite customers have nothing to do.
