Sending mail with a foreign identity: google removes spoofing loophole from gmail

Google has secured the servers of its popular email service gmail and its business counterpart G-suite against a serious security breach last wednesday. Attackers had been able to exploit it to impersonate other gmail and G suite users in emails, particularly effectively.

Since the security hole was fixed on the server side, users do not need to take any action. Google closed the loophole about seven hours after its discoverer allison husain published a detailed blog entry along with a proof-of-concept of the mail spoofing attack. It is not known whether active attacks took place within this rather short time span.

However, husain points out in her blog entry that she already informed google on april 3. April. However, the company had not wanted to meet the responsible disclosure deadline it had set and had not made a fix before 17. The announcement was made in september, so that it finally went public with details after about 137 days. Shortly thereafter, google had implemented the necessary security mechanisms at short notice.

SPF and DMARC are undermined

The spoofing attack developed by allison husain was particularly effective because it bypassed the sender policy framework (SPF) and domain-based message authentication (DMARC) security mechanisms. Messages that pass these security checks are more likely to be considered trustworthy, which in the case of actual attacks in the wild had probably contributed to the success of the swap.

The attack strategy is based on advanced gmail settings options in G suite for businesses. Specifically, husain made use of two options available through the google admin console: she set up an inbound gateway using her own G suite account, and she set up an inbound gateway using her own G suite account. "Inbound gateway") with her own G suite account, and also set her own email routing rules to the other recipient ("change envelope recipient"). The recipient entered here corresponded to the address of the victim who was to receive the spoofed e-mail.

sending mail with a foreign identity: google eliminates spoofing hole from gmail

In the first step, it then sent an email with a fake, arbitrary gmail address via the freshly set up inbound gateway using traditional spoofing methods. The gmail backend accepted the incoming message despite failed SPF and DMARC checks because it considered the gateway trustworthy. In the second step, the previously configured routing rules took effect: the backend forwarded the email with the incorrect sender to the registered envelope recipient. Since the message now originated from the gmail backend from the perspective of the recipient server (with a matching sender), it also passed the checks – and the spoofing trap snapped shut.