INTRO: In April, security researcher Allison Husain discovered a critical security flaw in Gmail’s servers. The vulnerability in question reportedly made it possible for attackers to spoof emails impersonating as any Gmail or G Suite user. As per Husain’s findings, the safety flaw even tricks Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) rules.
Google accepted the difficulty on April 16 and classified it as priority 2, severity 2 bugs. However, the corporate didn’t immediately follow abreast of the difficulty. On Lammas, Husain informed plans to disclose the difficulty within August 17. The software giant acknowledged the difficulty and set Citizenship Day because of the bug fixes rollout date. Husain then made the flaw public on August 19. Seven hours later, Google fixed the vulnerability.
As Husain explains in her blog post, the exploit takes advantage of the flawed recipient validation in G Suite’s mail validation rules and an inbound mail gateway to spoof emails. Inbound mail gateway may be a server liable for processing incoming emails.
“This is advantageous for an attacker if the victim they shall impersonate also uses Gmail or G Suite because it means the message sent by Google’s backend will pass both SPF and DMARC as their domain will, naturally of using G Suite, be configured to permit Google’s backend to send mail from their domain,” wrote Husain.
If you’re curious to understand how this might are exploited, Husain has published a symbol of concept in her blog post. You don’t need to worry about this issue anymore since Google has done server-side changes to repair the flaw, which suggests you don’t got to make any changes or update anything on your end.