top of page

Google's Gmail vulnerability exposes flaws in email authentication

Google recently launched a high-priority investigation into a security vulnerability within Gmail. While it was initially dismissed as "intended behaviour", the tech giant was compelled to re-evaluate the situation due to an external expert's persistence.


The flaw in question revolves around the Brand Indicators for Message Identification (BIMI) email authentication method, which Google introduced to Gmail last year.


Google's BIMI feature aims to enhance email security and provide users with a visual security checkmark, a blue tick, for authenticated sender avatars.


When a brand logo displayed in the email matches the company claiming to send it, users can confidently identify legitimate messages from impersonators.


Despite being correctly check-marked by BIMI, emails can fail the Sender Policy Framework (SPF) authentication process.


BIMI is not exclusive to Google; however, the vulnerability that Google investigated solely impacted their own implementation of BIMI.


There is an illusion of trust in the blue tick symbol; malicious actors have successfully evaded Google’s email authentication methods and are able to successfully spoof legitimate companies, meaning it no longer gives users assurance of authenticity.


It also highlights the limitations of email authentication standards, including SPF and Domain Message Authentication Reporting and Conformance (DMARC).


It seems that the Google BIMI feature relies on Microsoft’s standards, although the spoofed email had failed SPF authentication, it passed DMARC authentication because UPS, the purported sender, used Microsoft for email services.


The google implementation relies only on the SPF to match, the DKIM signature (DomainKeys Identified Mail) can be from any domain.


DKIM is a digital signature added to every email sent from a given email address. This raises questions about the effectiveness and interplay of various authentication methods across different domains and subdomains. It also reveals problems for other email providers relying solely on SPF for validation of BIMI.


Remediation & Mitigation


Exercise caution when receiving emails, especially those claiming to be from well-known brands or organisations.


Take a moment to carefully review the email content, sender details, and any suspicious or unusual elements, remembering to hover over the sender’s email for the true identity.


Although it is currently being investigated as a top priority incident; Google needs to prioritize prompt patching by releasing an immediate fix for the BIMI vulnerability in its implementation, when taking into consideration the vast increase in recent phishing campaigns. Implementing SPF and DMARC authentication methods is also essential to enhance the verification of incoming emails and detecting attempts by threat actors to spoof organisational emails.

 

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).

 

Comments


The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.

 

EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page