A serious spoofing vulnerability affected Google’s Gmail service. However, despite discovery and responsible disclosure, the tech giant delivered the fix just 7 hours from public disclosure.
Security researcher Allison Hussain discovered a serious bug affecting Gmail.
Sharing the details in a post, she revealed that she found a mail spoofing vulnerability in Gmail. However, this was not similar to earlier such bugs. Rather it typically affected Google, allowing an adversary to bypass security checks and send emails impersonating other Gmail or G Suite users.
Usually, email servers employ two techniques to tackle spoofing vulnerability – Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC).
However, the newly discovered Gmail bug could easily bypass both SPF and DMARC rules.
At first, the bug allowed an attacker to send spoofed emails to an inbound gateway on G Suite’s backend. Whereas, the second bug could allow setting up custom rules to forward an incoming spoofed email.
Describing the details in the post, the researcher stated,
Briefly, the bug worked because of two factors – broken recipient validation and an inbound gateway. Together, the two allowed the researcher to trick Google’s backend into resending a spoofed email for any domain.
The researcher has also shared the proof of concept for the exploit in her post.
The researcher first discovered the vulnerability in April 2020, following which, she reached out to Google to report the matter.