Google changes email authentication after spoof shows a bad delivery for UPS
Google's blue tick proves untrustworthy
Google says it has fixed a flaw that allowed a scammer to impersonate delivery service UPS on Gmail, after the data-hoarding web behemoth labeled the phony email as authentic.
The problem stemmed from an issue in an email authentication program called Brand Indicators for Message Identification (BIMI) that aims to protect email users from brand spoofing and phishing attacks claiming to be from a trusted org. BIMI also protects senders from reputational damage if their names and logos are used in a cyber attack.
BIMI, and email providers that support it – including Google – do this via email authentication standards: Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC), and DomainKeys Identified Mail (DKIM). BIMI requires participating brands to adopt DMARC along with either SPF or DKIM.
Up until this week, Google also used BIMI's requirements for senders: DMARC alignment with either SPF or DKIM.
It's since switched to DKIM after security architect Chris Plummer found a bug in SPF in late May. He spotted that an email purporting to be from a verified UPS sender – complete with the logistic giant's logo, and the Google-verified blue check – was a scam. The problem was a vulnerability in SPF that upgraded non-authenticated emails, making them authentic.
"This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are," a Google spokesperson told The Register. "To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status."
Bad delivery on all sides
Plummer submitted a bug report to Google, alerting it to the issue, and shared the report with The Register. Here's some of what he relayed:
I believe there is a bug in Gmail which has permitted a malicious sender to trick Gmail into this sense of assurance. Based on the message trajectory from email headers (full message attached to this case), this message was sent by way of a Facebook account, and onward through third-party infrastructure (fa83.windbound.org.uk, if DNS is to be believed) en route to O365, where it was then relayed to Gmail. Through this series of hops, it seems exceptionally unlikely this message was legitimately sourced by the UPS Corporation and that the brand mark in use is being used legitimately, which is what Gmail is communicating.
The spoof email, which managed to trick Google into thinking it originated from UPS, did not include a malicious payload, Plummer told The Register. "But if it had, that call would be highly regarded by an end user as genuine."
- Barracuda tells its ESG owners to 'immediately' junk buggy kit
- You might have been phished by the gang that stole North Korea's lousy rocket tech
- Why Microsoft just patched a patch that squashed an under-attack Outlook bug
- Google puts $1M behind its promise to detect cryptomining malware
Initially, Google ignored his report, with a "won't fix – intended behavior" message, Plummer said. However, increased media attention around the flaw seems to have swayed some hearts and minds about the matter.
"What we will likely never know is how many times it was taken advantage of and used maliciously, how many other brands were successfully impersonated, and how many users were victimized by it," Plummer said.
BIMI, for its part, addressed the issue in a Wednesday blog post, and also blamed the bug on a "long-standing, and well-known, issue with SPF, one that predated BIMI and even DMARC."
The brand authentication program "is working exactly as designed," it added. And this recent Gmail incident highlights "long-standing edge cases" that still need to be fixed.
"We hope the benefits of BIMI and the necessary implementation components create further incentives for mailbox providers who participate in BIMI (and those who define and implement the standards) to address these long-standing gaps in authentication protocols," the BIMI blog said. ®