banner1
Logo Blinking Image
banner2

HOME
Breaking News

Gmail bug cured by Google

by VARINDIA 2020-08-21
Gmail bug cured by Google

Google faced a major security bug impacting the Gmail and G Suite email servers on Wednesday. The bug could have allowed a threat actor to send spoofed emails mimicking any Gmail or G Suite customer.

 

According to security researcher Allison Husain, who found and reported this issue to Google in April, the bug also allowed attachers to pass the spoofed emails as compliant with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), two of the most advanced email security standards.

 

 However, despite having 137 days to fix the reported issue, Google initially delayed patches past the disclosure deadline, planning to fix the bug somewhere in September.

 

 Google engineers changed their mind after Husain published details about the bug on her blog, including proof-of-concept exploit code.

 

 Seven hours after the blog post went live, Google told Husain they deployed mitigations to block any attacks leveraging the reported issue, while they waited for final patches to deploy in September.

 

 In hindsight, the bug patching snafu is a common occurrence in the tech industry, where many companies and their security teams don't always fully understand the severity and repercussions of not patching vulnerability until details about that bug become public, and they stand to be exploited.

 

As for the bug itself, the issue is actually a combination of two factors, as Husain explains in her blog post. The first is a bug that lets an attacker send spoofed emails to an email gateway on the Gmail and G Suite backend.

 

The attacker can run/rent a malicious email server on the Gmail and G Suite backend, allow this email through, and then use the second bug.

 

This second bug allows the attacker to set up custom email routing rules that take an incoming email and forward it, while also spoofing the identity of any Gmail or G Suite customer using a native Gmail/G Suite feature named "Change envelope recipient."

 

The benefit of using this feature for forwarding emails is that Gmail/G Suite also validates the spoofed forwarded email against SPF and DMARC security standards, helping attackers authenticate the spoofed message.

 

"Additionally, since the message is originating from Google's backend, it is also likely that the message will have a lower spam score and so should be filtered less often," Husain said, while also pointing out that the two bugs are unique to Google only.

 

Google's mitigations have been deployed server-side, which means Gmail and G Suite customers don't need to do anything.

er

See What’s Next in Tech With the Fast Forward Newsletter

SECURITY
View All
Saviynt opens its largest global innovation hub in Bengaluru to advance AI-powered identity security

Saviynt opens its largest global innovation hub in Bengaluru to advance AI-powered identity security

C-Suite's rush to AI blinds leadership to critical security failures, leaving organisations exposed

C-Suite's rush to AI blinds leadership to critical security failures, leaving organisations exposed

Kaspersky introduces Notification Protection for Android app

Kaspersky introduces Notification Protection for Android app

SOFTWARE
View All
Simplismart and Yotta partner to deliver the next generation of AI infrastructure for Indian enterprises with Shakti Studio

Simplismart and Yotta partner to deliver the next generation of AI infrastructure for Indian enterprises with Shakti Studio

Bud and NxtGen launch ‘M for Coding’, India’s alternative to Claude Code

Bud and NxtGen launch ‘M for Coding’, India’s alternative to Claude Code

Neo4j invests $100M in product innovation, unveils Aura Agent and MCP Server

Neo4j invests $100M in product innovation, unveils Aura Agent and MCP Server

START - UP
View All
Ex-Twitter CEO Parag Agrawal Unveils AI-Focused Startup Parallel Web Systems

Ex-Twitter CEO Parag Agrawal Unveils AI-Focused Startup Parallel Web Systems

Travel tech startup Teleport acquired by StampMyVisa

Travel tech startup Teleport acquired by StampMyVisa

Tally Solutions launches ‘Startup Challenge’ to boost innovation in manufacturing tech

Tally Solutions launches ‘Startup Challenge’ to boost innovation in manufacturing tech

Tweets From @varindiamag

CIO - SPEAK
Automation has the potential to greatly improve efficiency and production

Automation has the potential to greatly improve efficiency and production

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

wew
wrdf
Start-Up and Unicorn Ecosystem
India's Technology Revolution: How Top 20 Companies Are Reshaping the Digital Landscape

India's Technology Revolution: How Top 20 Companies Are Reshaping the Digital Landscape

CLS 2026 : 40 Tech Segments Shaping the Channel

CLS 2026 : 40 Tech Segments Shaping the Channel

Channel Partners: Turbocharging India’s Tech Boom

Channel Partners: Turbocharging India’s Tech Boom

Payments 2030: What’s Shaping the Future?

Payments 2030: What’s Shaping the Future?

Pine Labs Partners with Bank of Ceylon to Power Multi-Currency Travel Card

Pine Labs Partners with Bank of Ceylon to Power Multi-Currency Travel Card

India Emerges as the Global Nerve Center for GCCs

India Emerges as the Global Nerve Center for GCCs

Indian Enterprises Can Unlock the $609 Billion AI Opportunity

Indian Enterprises Can Unlock the $609 Billion AI Opportunity

Consulting Firms Under Fire for AI Rollouts

Consulting Firms Under Fire for AI Rollouts

Deepfake Deception: How AI Fuels Scams and Fake News

Deepfake Deception: How AI Fuels Scams and Fake News

Databricks and OpenAI Partner to Bring Frontier AI to Enterprises with $100M Deal

Databricks and OpenAI Partner to Bring Frontier AI to Enterprises with $100M Deal

dsf