Google fixes serious Gmail security bug four months after it was discovered
Gmail recently saw a major outage, that affected millions around the globe. However, as soon as it came back online, the popular email client fixed one of its glaring security bugs. The bug reportedly had an impact on both Gmail and G Suite email servers. What’s interesting is that this issue was identified by Google back in April this year. And it is only now (after months) that this has been fixed.
As mentioned by the security researcher, Allison Husain, the bug could have allowed hackers to send spoofed emails on behalf of any Gmail or G Suite user. “This issue is a bug unique to Google which allows an attacker to send mail as any other user or G Suite customer while still passing even the most restrictive SPF and DMARC rules,” said Husain in a blog post.
It was added that although Google was planning to bring a fix in September, it rolled out the patch within seven hours after it was made public. That’s also surprising considering that the search giant itself gives a 90-day deadline to companies since the time its bug-finding Project Zero team discovers it. After the 90-day period, all details about the bug is made public regardless the company has patched it or not. But this doesn’t seem to apply in Google’s own case.
Giving details on the bug, Husain said that “By chaining together both the broken recipient validation in G Suite's mail validation rules and an inbound gateway, I was able to cause Google's backend to resend mail for any domain which was clearly spoofed when it was received.” He added that “This is advantageous for an attacker if the victim they intend to impersonate also uses Gmail or G Suite because it means the message sent by Google's backend will pass both SPF and DMARC as their domain will, by nature of using G Suite, be configured to allow Google's backend to send mail from their domain.”
As mentioned by ZDNet, the patch has been rolled out from the server side so Gmail or G Suite users don’t have to do anything.