Email spoofing security hole discovered in Google Admin console

Security researchers have identified a security flaw in the Google Admin console which allows attackers to claim domains and send out spoof emails.


Security researchers have exposed a vulnerability within the Google Admin console which allows cyberattackers to send spoof emails which appear legitimate from unclaimed domains.

Last month, as reported by Security Week, Patrik Fehrenbach and Behrouz Sadeghipour discovered across a security flaw in the Google Admin console -- used to control a company's Google Apps suite -- which allowed users to temporarily claim domains and send spoof emails.

In order to test the vulnerability, Fehrenbach and Sadeghipour used the tech giant itself as a victim -- claiming domains including and to send spoofed emails. The domains are used by Google in relation to YouTube and both hosting files and offloading static content in order to reduce bandwidth requirements in web browsing.

Throughout testing, as explained in a blog post and accompanying video, emails were sent appearing to send from these domains -- including "" and ""

Normally, if you attempt to send a spoofed email from another server, Google will recognize the message and warn the user that it may be fake or fraudulent -- as the server will be shown as completely different to the domain. However, if you claim the domain through the Google Admin console, no warnings are given to recipients -- and so the spoofed email is likely to be considered a trusted source.

As a result, cyberattackers could use this vulnerability to send out spoof emails which appear legitimate and sourced from a trusted server -- and contain no flags identifying emails as suspicious.

Read this

Six clicks: Top free iOS, Android apps to learn how to program

No matter the age, learning a programming language is a marketable skill. Here are mobile apps to assist you.

Read More

The duo said:

"So not only we are claiming other domains, we were successfully able to trick the Google Mail Server into accepting a wrong FROM parameter. However you can still claim any domain and have access to the admin console through out the "validation process" and that is by design."

The researchers reported the security flaw to Google, which was patched by simply applying a FROM According to the publication, the team were awarded $500 for their work.

This week, both Apple and Google plan to release fixes for the FREAK security vulnerability, a legacy Secure Sockets Layer (SSL) and Transport Layer Security (TLS) security flaw which allows hackers to launch SSL Man-in-the-Middle (MITM) attacks.

Read on: In the world of security