Aug 21, 2020 12:50:00

Vulnerability related to spoofed email is reported in Google's GmailG Suite

Security researcher Allison Hussein reported in his blog that Google's

Gmail and G Suite were vulnerable to email spoofing.

The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer :: Ezhes — tale of the tailed z
https://ezh.es/blog/2020/08/the-confused-mailman-sending-spf-and-dmarc-passing-mail-as-any-gmail-or-g-suite-customer/

Google fixed email spoofing flaw 7 hours after public disclosureSecurity Affairs
https://securityaffairs.co/wordpress/107360/hacking/google-email-spoofing-flaw.html

A vulnerability found in Gmail and G Suite by Mr. Hussein was that 'not enough verification is done when setting the mail transmission route'. This vulnerability is specific to Gmail and G Suite, and an attacker can use this vulnerability to send an email impersonating a user of Gmail and G Suite.

In an experiment conducted by Mr. Hussein, emails sent by exploiting this vulnerability should avoid sender authentication such as Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC). It seems that you can do it. In fact, Hussein was able to send a spoofed email using the G Suite account he created for the test.

Hussein discovered the vulnerability as of April 1, 2020 and reported it to Google on April 3, 2020. Although Google acknowledged the existence of the vulnerability, since it was not corrected, Mr. Hussein said to Google on August 1, 2020 that 'the vulnerability will be posted on the blog on August 17, 2020'. notification. On August 14, 2020, Google contacted Mr. Hussein ``I will release a patch on September 17, 2020'', but Mr. Hussein published an article on his blog on August 19, 2020. did. Google has fixed all the vulnerabilities announced by Hussein about seven hours after it was announced.

Mr. Hussein said on Google's response: ``I published this vulnerability before the patch was released, but Google's security team is kind throughout the process, suppressing me from exposing bugs We did not limit it, so there is no malicious intent against Google.'

On Google's August 20, 2020 (Thursday) services such as Gmail, Google Docs, Google Drive, etc., had a large-scale failure such as file creation and upload failure, but Hussein The link to the vulnerabilities he discovered is unclear. This failure has been recovered from Japan time around 20 o'clock on August 20, 2020.