Google has been forced to remedy a serious security vulnerability present in Gmail and G Suite email servers after an exploit was published online.
The vulnerability could have allowed an attacker to send imitation emails posing as any Gmail or G Suite customer, opening the door to an array of spear phishing and spam-based attacks – which could also be used to smuggle malware onto the target system.
Google had known about the flaw for 137 days prior to issuing the fix, but dragged its feet until security researcher Allison Husain published proof-of-concept exploit code to her blog.
Gmail security vulnerability
The now-patched Gmail exploit abused two separate issues which, when combined, could have given hackers the keys to the metaphorical kingdom.
The first bug allowed attackers to send fraudulent emails to an email gateway on the Gmail and G Suite backend, then run a server to wave the email through.
The second flaw created an opportunity to tweak email routing settings, allowing hackers to forward emails under the guise of any Gmail or G Suite user.
According to Husain, this second bug also meant malicious actors could bypass two highly restrictive email security standards: Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC).
“Due to missing verification when configuring mail routes, both Gmail’s and any G Suite customer’s strict DMARC/SPF policy may be subverted by using G Suite’s mail routing rules to relay and grant authenticity to fraudulent messages,” explained Husain.
The security researcher claims to have disclosed the issue on April 1 and notified Google of her intent to publish the exploit on August 1. Once the blog went live on August 19, only seven hours elapsed before Google delivered the fix.
The patch was administered on the backend, which means no action is needed on the part of Gmail users or G Suite customers in order to protect against attack.