06/05 Update below. This post was originally published on June 3
The security of Gmail has always been one of its biggest selling points, but now one of its most important new security features is actively being used by hackers to scam users
Gmail’s new blue checkmark sender verification system — as it should work
Introduced last month, the Gmail checkmark system highlights verified companies and organizations to users with a blue checkmark. The idea is to help users discern which emails are legitimate and which may have been sent by impersonators running scams. Unfortunately, scammers have tricked the system.
Scammers hacking Gmail’s new sender verification system
Chris Plummer
Spotted by cybersecurity engineer Chris Plummer, scammers have found a way to convince Gmail that their fake brands are legitimate. Thereby using the confidence the checkmark system is supposed to instill against Gmail users.
“The sender found a way to dupe @gmail ’s authoritative stamp of approval, which end users are going to trust,” explains Plummer. “This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit.”
Plummer reports that Google initially dismissed his discovery as “intended behaviour” before his tweets about it went viral, and the company acknowledged the error. In a statement to Plummer, Google wrote:
“After taking a closer look we realized that this indeed doesn’t seem like a generic SPF vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on.
We apologize again for the confusion and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this!
We’ll keep you posted with our assessment and the direction that this issue takes.
Regards, Google Security Team”
Plummer highlights that Google has now listed the flaw as a ‘P1’ (top priority) fix, which is currently “in progress.”
Immense credit goes to Plummer, not just for his discovery, but for the lengths he went to to make Google acknowledge the problem. That said, until Google has a fix, the Gmail checkmark verification system remains broken and is being used by hackers and spammers to trick you with the exact thing it was meant to combat. Stay vigilant.
06/05 Update: security researchers are beginning to understand how Gmail’s checkmark verification system is being tricked and how it applies to other email services. In a blog post, debugger Jonathan Rudenberg revealed he was able to replicate the hack on Gmail, explaining:
“Gmail’s BIMI implementation only requires SPF to match, the DKIM signature can be from any domain. This means that any shared or misconfigured mail server in a BIMI-enabled domain’s SPF records can be a vector for sending spoofed messages with the full BIMI ✅ treatment in Gmail…
BIMI is worse than the status quo, as it enables super-powered phishing based on a single misconfiguration in the extremely complicated and fragile stack that is email.”
Rudenberg also published results for BIMI implementations on other major email services, stating:
- iCloud: properly checks that DKIM matches the From domain
- Yahoo: only attaches BIMI treatment to bulk sends with high reputation
- Fastmail: vulnerable but also supports Gravatar and uses the same treatment for both so the impact is minimal
- Apple Mail + Fastmail: vulnerable with a dangerous treatment
Yes, this means Apple Mail and Fastmail users must also be vigilant, though they don’t run the same verified checkmark system as Gmail. There has been a highly critical response to this vulnerability from the security community, with questions raised about how this was allowed to happen and how poorly implemented the Gmail verification method is. Google needs a fix ASAP.
___
