Security researchers have exposed a vulnerability within the Google Admin console which allows cyberattackers to send spoof emails which appear legitimate from unclaimed domains.
Last month, as reported by Security Week, Patrik Fehrenbach and Behrouz Sadeghipour discovered across a security flaw in the Google Admin console -- used to control a company's Google Apps suite -- which allowed users to temporarily claim domains and send spoof emails.
In order to test the vulnerability, Fehrenbach and Sadeghipour used the tech giant itself as a victim -- claiming domains including ytimg.com and gstatic.com to send spoofed emails. The domains are used by Google in relation to YouTube and both hosting files and offloading static content in order to reduce bandwidth requirements in web browsing.
Throughout testing, as explained in a blog post and accompanying video, emails were sent appearing to send from these domains -- including "firstname.lastname@example.org" and "email@example.com."
Normally, if you attempt to send a spoofed email from another server, Google will recognize the message and warn the user that it may be fake or fraudulent -- as the server will be shown as completely different to the domain. However, if you claim the domain through the Google Admin console, no warnings are given to recipients -- and so the spoofed email is likely to be considered a trusted source.
As a result, cyberattackers could use this vulnerability to send out spoof emails which appear legitimate and sourced from a trusted server -- and contain no flags identifying emails as suspicious.
The duo said:
"So not only we are claiming other domains, we were successfully able to trick the Google Mail Server into accepting a wrong FROM parameter. However you can still claim any domain and have access to the admin console through out the "validation process" and that is by design."
The researchers reported the security flaw to Google, which was patched by simply applying a FROM firstname.lastname@example.org. According to the publication, the team were awarded $500 for their work.
This week, both Apple and Google plan to release fixes for the FREAK security vulnerability, a legacy Secure Sockets Layer (SSL) and Transport Layer Security (TLS) security flaw which allows hackers to launch SSL Man-in-the-Middle (MITM) attacks.
Read on: In the world of security
- Anonymous targets ISIS social media, recruitment drives in #OpISIS campaign
- Poor security left Anthem customer records exposed
- Verizon rushes fix for email account open season security flaw
- Sony executive Amy Pascal steps down following cyberattack, email exposure
- Facebook funds GNU Privacy Guard development