It’s only been a month since Google‘s Gmail offered its version of ‘blue checkmark’ verified accounts in Twitter‘s style, and hackers are already exploiting it.
Google launched the verification feature, which sits next to the sender’s name, to assure readers that emails are trustworthy.
Scammers have found a workaround to obtain the coveted mark, allowing them to craft fake addresses from famous brands and potentially dupe users into providing credentials or payments.
Cybersecurity claim Google was made aware of the flaw, shortly after it was identified but ‘ignored the issue.’
The new hack uses Gmail’s existing ‘Brand Indicators for Message Identification’ (BIMI) feature, based on their new ‘blue checkmark’ system. Scammers are exploiting the weakness to create, but ‘verified’ fake addresses from famous brands like global shipper UPS
‘I submitted a bug which @google lazily closed as ‘won’t fix – intended behavior,’ cybersecurity engineer Chris Plummer, tweeted.
‘How is a scammer impersonating @UPS in such a convincing way ‘intended.”
The exploit uses Gmail’s existing Brand Indicators for Message Identification (BIMI) feature, based on their new ‘blue checkmark’ system.
In theory, the blue checks would confirm that an email address is authorized to use the name and avatar image assigned to it, like a major brand’s logo.
Software engineer Jonathan Rudenberg said verification only required a DomainKeys Identified Mail (DKIM) signature, which could be ‘from any domain.’
‘This means that any shared or misconfigured mail server in a BIMI-enabled domain’s SPF [Sender Policy Framework] records can be a vector for sending spoofed messages,’ Rudenberg wrote in a blog post, ‘with the full BIMI treatment in Gmail.’
‘BIMI is worse than the status quo,’ Rudenberg said.
Users are urged to look closely at all verified email addresses before taking action.
Scammers craft addresses with many different numbers and letters while inputting the company’s name with the hopes of duping the recipients.
Shockingly, Google’s first response was to ignore the issue. Cybersecurity engineer Chris Plummer said that the tech giant’s security team first told him ‘won’t fix – intended behavior’
Other email clients have recently had or still have similar issues with their BIMI-authenticated ‘verified’ email address system, according to Rudenberg, including Microsoft 365 and Apple Mail, when paired with Fastmail.
iCloud and Yahoo were noticeably more secure.
Fortunately, Google now lists this fake ‘blue check’ bug as a top priority or ‘P1’ issue.
‘After taking a closer look we realized that this indeed doesn’t seem like a generic SPF vulnerability,’ a Google rep wrote to Plummer late last week. ‘Thus we are reopening this and the appropriate team is taking a closer look at what is going on.’
‘We apologize again for the confusion.’
