06/05 Update below. This post was originally published on June 3

The security of Gmail has always been one of its biggest selling points, but now one of its most important new security features is actively being used by hackers to scam users

Introduced last month, the Gmail checkmark system highlights verified companies and organizations to users with a blue checkmark. The idea is to help users discern which emails are legitimate and which may have been sent by impersonators running scams. Unfortunately, scammers have tricked the system.

Spotted by cybersecurity engineer Chris Plummer, scammers have found a way to convince Gmail that their fake brands are legitimate. Thereby using the confidence the checkmark system is supposed to instill against Gmail users.

“The sender found a way to dupe @gmail ’s authoritative stamp of approval, which end users are going to trust,” explains Plummer. “This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit.”

Plummer reports that Google initially dismissed his discovery as “intended behaviour” before his tweets about it went viral, and the company acknowledged the error. In a statement to Plummer, Google wrote:

“After taking a closer look we realized that this indeed doesn’t seem like a generic SPF vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on.

We apologize again for the confusion and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this!

We’ll keep you posted with our assessment and the direction that this issue takes.

Regards, Google Security Team”

Plummer highlights that Google has now listed the flaw as a ‘P1’ (top priority) fix, which is currently “in progress.”

Immense credit goes to Plummer, not just for his discovery, but for the lengths he went to to make Google acknowledge the problem. That said, until Google has a fix, the Gmail checkmark verification system remains broken and is being used by hackers and spammers to trick you with the exact thing it was meant to combat. Stay vigilant.

06/05 Update: security researchers are beginning to understand how Gmail’s checkmark verification system is being tricked and how it applies to other email services. In a blog post, debugger Jonathan Rudenberg revealed he was able to replicate the hack on Gmail, explaining:

“Gmail’s BIMI implementation only requires SPF to match, the DKIM signature can be from any domain. This means that any shared or misconfigured mail server in a BIMI-enabled domain’s SPF records can be a vector for sending spoofed messages with the full BIMI ✅ treatment in Gmail…

BIMI is worse than the status quo, as it enables super-powered phishing based on a single misconfiguration in the extremely complicated and fragile stack that is email.”

Rudenberg also published results for BIMI implementations on other major email services, stating:

• iCloud: properly checks that DKIM matches the From domain
• Yahoo: only attaches BIMI treatment to bulk sends with high reputation
• Fastmail: vulnerable but also supports Gravatar and uses the same treatment for both so the impact is minimal
• Apple Mail + Fastmail: vulnerable with a dangerous treatment

Yes, this means Apple Mail and Fastmail users must also be vigilant, though they don’t run the same verified checkmark system as Gmail. There has been a highly critical response to this vulnerability from the security community, with questions raised about how this was allowed to happen and how poorly implemented the Gmail verification method is. Google needs a fix ASAP.

___

Follow Gordon on Facebook

More On Forbes

Adblock test (Why?)

Source link

Article content

Apple Inc.’s next big thing is finally here, with the company set to announce its mixed-reality headset at its Worldwide Developers Conference, better known as WWDC, on Monday. The headset has the potential to usher in a new era: It could kick off the shift to a different interface that upends how people work, play games and entertain themselves. Investors will be keen to see how it all plays out with shares of the tech behemoth trading higher this morning, putting them on pace to close at a record high ahead of this product launch.

Hollywood’s Deal

The Directors Guild of America reached a tentative agreement with the Alliance of Motion Picture and Television Producers, which represents Hollywood studios, a victory for one of several entertainment industry unions seeking adjusted contracts this summer. The tentative agreement reached Saturday will allocate a 5% wage increase in the first year of contract, 4% in the second year and 3.5% in the third year, according to a statement from the union, DGA. The deal also says that generative AI cannot replace duties performed by members as the technology isn’t considered a person. 

Adblock test (Why?)

Source link

Apple Inc AAPL-Q is expected to unveil a mixed-reality headset at its annual software developer conference on Monday, its first big move into a new product category since the introduction of the Apple Watch nine years ago.

The launch will see Apple test a market crowded with devices that have yet to gain traction with consumers and put it in direct competition with Facebook-owner Meta Platforms META-Q.

Like Meta’s Quest Pro from last year and Quest 3 announced last week, Apple’s device is likely to blend a video feed from the outside world with a virtual world displayed on screens inside the headset.

Analysts expect Apple’s headset to come with premium features including a high-quality display and hand-tracking so it can be controlled without an external controller. It’s also likely to cost much more than the planned $500 Quest 3.

Investors and tech fans alike will be focusing on how much Apple’s view of the virtual reality market overlaps with Meta’s. Meta Chief Executive Mark Zuckerberg has outlined his vision for using headsets to dip in and out of a “metaverse” where people can meet virtually to work, play and spend.

In addition to Meta, Sony Group Corp and ByteDance-owned Pico both recently released virtual reality devices.

Research firm IDC said companies sold a total of 8.8 million headsets last year, down 20.9 per cent from 2021. In the first quarter of 2023, sales more than halved.

Apple’s presentation on Monday is mostly aimed at sparking the imaginations of the thousands of software developers who will stream into Apple Park for a keynote address at 1 p.m. Eastern Time (1700 GMT).

Apple will also deliver updates on its operating systems for iPhones, iPads and Mac computers.

Investors will also look for updates on CarPlay, Apple’s software for vehicles, which the company said last year would start to power more dashboard functions.

Adblock test (Why?)

Source link