Google secured the servers of its popular e-mail service Gmail and its business counterpart G-Suite against a serious security flaw last Wednesday. Attackers could have exploited them to impersonate other Gmail or G Suite users in e-mails.
Since the security gap has been fixed on the server side, users do not need to take action. Google closed the gap around seven hours after its discoverer Allison Husain one detailed blog entry and proof of concept on the mail spoofing attack had published. It is not known whether active attacks took place within this relatively short period of time.
However, Husain points out in her blog entry that he informed Google on April 3rd. However, the company did not want to meet the Responsible Disclosure deadline set by it and did not announce a fix before September 17, so that it finally went public with details after around 137 days. Shortly afterwards, Google implemented the necessary security mechanisms at short notice.
SPF and DMARC undermined
The spoofing attack developed by Allison Husain was particularly effective because it undermined the Sender Policy Framework (SPF) and Domain-based Message Authentication (DMARC) security mechanisms. Messages that pass these security checks are more likely to be considered trustworthy, which in the event of actual attacks in the wild would have helped the deception to succeed.
The attack strategy is based on extended Gmail settings options in G Suite for companies. Specifically, Husain made use of two options available via the Google Admin console: It set up with her own G Suite account a gateway for incoming e-mails (“Inbound Gateway”) one and also put own e-mail routing rules for changing the recipient fixed (“Change envelope recipient”). The recipient entered here corresponded to the address of the victim who should ultimately receive the spoofed email.
In the first step, she then sent herself an e-mail with a fake, arbitrary Gmail / G Suite sender via the freshly set up inbound gateway using conventional spoofing methods. The Gmail backend accepted the incoming message despite the failed SPF and DMARC messages. Checks as it classified the gateway as trustworthy. In the second step, the previously configured routing rules took effect: The backend forwarded the e-mail with the falsified sender to the entered envelope recipient. Since the message from the perspective of the recipient server came from the Gmail backend (with the same sender), it passed the checks – and the spoofing trap snapped shut.