Google fixed a major security bug affecting Gmail and G Suite email servers within hours after ignoring a researcher who found the bug for 137 days. The Gmail bug allowed an attacker to send spoofed emails by impersonating any Gmail or G Suite customer using Google’s backend servers. The security researcher, Allision Husain, reported the email spoofing bug in April and Google promised to fix it shortly after. However, the Alphabet-owned company never got around to fixing it, until Husain published a blog post publicizing the issue.
Google fixes Gmail bug within hours after blog publication
Google received information about the Gmail bug in April and scheduled to fix it soon. However, the search engine giant failed to patch the bug within 137 days, additionally pushing the new deadline to September.
The reasons that led Google to delay in fixing the severe Gmail bug remained a mystery. However, the company swung into action after Husain published the details of the Gmail bug and released the proof-of-concept exploit code used for email spoofing.
Within seven hours of Husain’s blog publication, the email giant deployed mitigations to the email spoofing exploits on Gmail. The partial fixes will prevent attackers from exploiting the bug as the email service awaits the final patches in September.
Technical details of the email spoofing bug on Gmail services
The Gmail bug allowed an attacker to conduct email spoofing while still complying with the Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) security standards. The standards compare the sender’s IP address with the authenticated list of Gmail addresses allowed to send emails from Google servers. If missing, the server rejects the mail, thus blocking any email spoofing attempts. However, the Gmail bug allowed an attacker to work around the security measure by validating the spoofed messages as genuine emails.
The email spoofing Gmail bug exists in two forms, according to Husain. The first bug allows an attacker to spoof emails through Google backend servers on both Gmail and G Suite services.
The threat actor succeeds by renting a Gmail and G Suite backend mail server on Google’s platform. The rented server is then used to forward the spoofed email, allowing the attacker to exploit the second bug.
The next Gmail bug allows the threat actor to set custom routing rules to deliver incoming email messages while spoofing any Gmail or G Suite customer having the “Change envelope recipient” feature. This native feature is responsible for validating the spoofed emails against the SPF and DMARC security standards.
Forwarding the email from Gmail backend servers allows them to avoid spam filters, thus ensuring they reach the target’s inbox.
Husain noted that the email spoofing bug only exists on Gmail service. Left in the wild, the Gmail bug would make Google’s Gmail service very popular with spammers and malware distributors, whose emails are frequently blocked by spam filters.
David “moose” Wolpoff, CTO and Co-Founder of Randori, says that the bug allowed an attacker to send an email from a different account than the one declared in the headers.
“What’s notable here is that adversaries can take advantage of confusing Gmail settings to manipulate email headers, and then bypass security controls to send emails from different accounts. This bug allows an adversary to bypass the step of proving the domain from which they are claiming to send the email.”
He added that such phishing attacks are a major thorn in enterprise security. He notes that the only consolation is that the attackers could not access the email addresses they were impersonating.
Unfortunately, the attackers could instruct the victims to send information to one of their malicious accounts. Additionally, the scammers could include malicious links in the spoofed emails. Users are likely to trust the email because it qualifies as originating from a trustworthy sender. Such victims are likely to click the included malicious links or to send sensitive information to the hackers’ proxy email address without a second thought.