A serious spoofing vulnerability affected Google’s Gmail service. However, despite discovery and responsible disclosure, the tech giant delivered the fix just 7 hours from public disclosure.
Serious Gmail Bug Discovered
Security researcher Allison Hussain discovered a serious bug affecting Gmail.
Sharing the details in a post, she revealed that she found a mail spoofing vulnerability in Gmail. However, this was not similar to earlier such bugs. Rather it typically affected Google, allowing an adversary to bypass security checks and send emails impersonating other Gmail or G Suite users.
Usually, email servers employ two techniques to tackle spoofing vulnerability – Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC).
However, the newly discovered Gmail bug could easily bypass both SPF and DMARC rules.
At first, the bug allowed an attacker to send spoofed emails to an inbound gateway on G Suite’s backend. Whereas, the second bug could allow setting up custom rules to forward an incoming spoofed email.
Describing the details in the post, the researcher stated,
Gmail skips performing SPF checks on IP addresses included in the Gateway IPs list. If an inbound gateway is set up, the DMARC check should be done by the inbound gateway and will be skipped for messages arriving from listed hosts.
Briefly, the bug worked because of two factors – broken recipient validation and an inbound gateway. Together, the two allowed the researcher to trick Google’s backend into resending a spoofed email for any domain.
The researcher has also shared the proof of concept for the exploit in her post.
Urgent Patch Rolled Out
The researcher first discovered the vulnerability in April 2020, following which, she reached out to Google to report the matter.
In response, Google acknowledged the vulnerability. However, they didn’t bring a fix for it until August. Upon follow-up, Google informed the researcher to release the fix in September 2020.
Nonetheless, as the researcher publicly disclosed the vulnerability and the PoC exploit through her, Google deployed the bug within 7 hours.
So now, this Gmail vulnerability is fixed and the customers do not need to do anything from their end.
Let us know your thoughts in the comments.