Google, earlier in the week faced a lot of criticisms over the outage of Gmail and other G Suite services. It took close to six hours for the company to finally resolve the issue.
But, now it looks like Google before the G suite service outage, was busy fixing a critical security bug in the Gmail and if failed, it could have allowed cybercriminals to send spoofed emails to pray on Google service users.
As per the security expert Allison Husain, who first detected the loophole, says it allowed bad actors to bypass critical security protocols-- Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC).
Without passing through the aforementioned routes, it's impossible to send an email to a designated person. They contain a pre-approved set of unique IP addresses and will not allow any data to pass through without proper authentication. However, Husain was able to come up with a workaround to bypass 'inbound gateway', which is the last server, that archives and filters mail for spams and finally send them to the receiver's mail inbox.
"By chaining together both the broken recipient validation in G Suite’s mail validation rules and an inbound gateway, I was able to cause Google’s backend to resend mail for any domain which was clearly spoofed when it was received. This is advantageous for an attacker if the victim they intend to impersonate also uses Gmail or G Suite because it means the message sent by Google’s backend will pass both SPF and DMARC as their domain will, by nature of using G Suite, be configured to allow Google’s backend to send mail from their domain. Additionally, since the message is originating from Google’s backend, it is also likely that the message will have a lower spam score and so should be filtered less often," Allison Husain said on the official blog.
Husain identified the glitch first in April and reported the issue to Google on April 3 and the latter responded with the acknowledgment after more than a week on April 16 and tagged as priority level 2 and severity as level 2. But, the company took more than four months to finally fix it this week.
Get the latest news on new launches, gadget reviews, apps, cybersecurity, and more on personal technology only on DH Tech.