Google fixes a Gmail bug that could've let attackers spoof emails
While users were struggling to use Gmails services yesterday for a long time, Google fixed a critical bug that mightve let attackers send spoofed emails.
It took Google a whopping 137 days to close the bug after security researcherAllison Husain first reported it to the company.
The bug could also let attackers bypass protection protocols such asSender Policy Framework andDomain-based Message Authentication, Reporting and Conformance that protect you from spoofing.
These techniques compare the senders IP address to a pre-approved list of IPs from the domain that is allowed to send emails.
Because of this, even if the original email failed theSPF and DMARC test, the spoofed email would end up in the attackers second inbox because the IP was put in the allowlist.
Once the email is in the attackers second G suiteinbox, they could configure a random recipient through GmailsChange envelope recipient function.
We use cookies and analyse traffic to this site. By continuing to use this site, closing this banner, or clicking "I Agree", you agree to the use of cookies. Read our privacy poplicy for more information.