21 C
Jaipur
Thursday, October 29, 2020

Google Patches Gmail Bug Within 7 Hours of Public Disclosure

Must read

How To Use pulseaudio-dlna To Stream Audio From Ubuntu 20.10 To Chromecast Devices

pulseaudio-dlna is a streaming server which allows streaming audio from your Linux computer to a Chromecast or DLNA / UPNP device in the same...

Nokia cuts full-year profit forecast, announces new strategy – Latest News

STOCKHOLM/HELSINKI: Nokia cut its full-year profit forecast even as the telecom network equipment maker's quarterly underlying profit met expectations in its first earnings under...

payments technology: JPMorgan backs UK payments technology company Icon Solutions – Latest News

JPMorgan Chase & Co has made a strategic investment in Icon Solutions, a UK-based company that advises and provides technology to banks to help...

tcl 4k tv: TCL expands its smart TV lineup with TVP615 Android TV, price starts at Rs 23,999

Expanding its smart TV lineup, consumer electronics brand TCL has launched its latest 4K UHD TV -- TVP615 in India. The TV runs

In April, security researcher Allison Husain discovered a critical security flaw in Gmail’s servers. The vulnerability in question reportedly made it possible for attackers to spoof emails impersonating as any Gmail or G Suite user. As per Husain’s findings, the security flaw even tricks Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) rules.

Google accepted the issue on April 16 and classified it as priority 2, severity 2 bug. However, the company didn’t immediately follow up on the issue. On August 1, Husain informed plans to disclose the issue within August 17. The software giant acknowledged the issue and set September 17 as the bug fix rollout date. Husain then made the flaw public on August 19. Seven hours later, Google fixed the vulnerability.

As Husain explains in her blog post, the exploit takes advantage of the flawed recipient validation in G Suite’s mail validation rules and an inbound mail gateway to spoof emails. Inbound mail gateway is a server responsible for processing incoming emails.

gmail bug graph
Image: Allison Husain

“This is advantageous for an attacker if the victim they intend to impersonate also uses Gmail or G Suite because it means the message sent by Google’s backend will pass both SPF and DMARC as their domain will, by nature of using G Suite, be configured to allow Google’s backend to send mail from their domain,” wrote Husain.

If you’re curious to know how this could have been exploited, Husain has published a proof of concept in her blog post. You don’t have to worry about this issue anymore since Google has done server-side changes to fix the flaw, which means you don’t need to make any changes or update anything on your end.

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

How To Use pulseaudio-dlna To Stream Audio From Ubuntu 20.10 To Chromecast Devices

pulseaudio-dlna is a streaming server which allows streaming audio from your Linux computer to a Chromecast or DLNA / UPNP device in the same...

Nokia cuts full-year profit forecast, announces new strategy – Latest News

STOCKHOLM/HELSINKI: Nokia cut its full-year profit forecast even as the telecom network equipment maker's quarterly underlying profit met expectations in its first earnings under...

payments technology: JPMorgan backs UK payments technology company Icon Solutions – Latest News

JPMorgan Chase & Co has made a strategic investment in Icon Solutions, a UK-based company that advises and provides technology to banks to help...

tcl 4k tv: TCL expands its smart TV lineup with TVP615 Android TV, price starts at Rs 23,999

Expanding its smart TV lineup, consumer electronics brand TCL has launched its latest 4K UHD TV -- TVP615 in India. The TV runs

paytm: Parliamentary panel questions Paytm about Chinese investment, storing of data in servers abroad – Latest News

A parliamentary panel on Thursday questioned Paytm representatives about the quantum of Chinese investment in the company and told them that the servers on...