Google fixes major Gmail bug seven hours after exploit details go public

guest · Aug 20, 2020

Google fixes major Gmail bug seven hours after exploit details go public
Attackers could have sent spoofed emails mimicking any Gmail or G Suite customer
August 20, 2020
https://www.zdnet.com/article/googl...-seven-hours-after-exploit-details-go-public/

Google has patched on Wednesday a major security bug impacting the Gmail and G Suite email servers.
The bug could have allowed a threat actor to send spoofed emails mimicking any Gmail or G Suite customer.

According to security researcher Allison Husain, who found and reported this issue to Google in April, the bug also allowed attachers to pass the spoofed emails as compliant with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), two of the most advanced email security standards.
Click to expand...

GOOGLE DELAYED PATCHES, DESPITE A FOUR MONTHS HEADS-UP
However, despite having 137 days to fix the reported issue, Google initially delayed patches past the disclosure deadline, planning to fix the bug somewhere in September.

Google engineers changed their mind yesterday after Husain published details about the bug on her blog, including proof-of-concept exploit code.
Seven hours after the blog post went live, Google told Husain they deployed mitigations to block any attacks leveraging the reported issue, while they wait for final patches to deploy in September.
Click to expand...

The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer

This is notably not the same as classic mail spoofing of yesteryear in which the From header is given an arbitrary value [...]

This issue is a bug unique to Google which allows an attacker to send mail as any other user or G Suite customer while still passing even the most restrictive SPF and DMARC rules.
[...]
This results in a completely illegitimate message from a highly trusted domain with strong SPF and DMARC configurations being delivered directly to the victim’s inbox without any sort of warning:
Click to expand...

Log in or Sign up

Google fixes major Gmail bug seven hours after exploit details go public

guest Guest

Log in or Sign up

Google fixes major Gmail bug seven hours after exploit details go public

guest Guest

Useful Searches