Google fixed the vulnerability only after the security researcher ended up disclosing its technical details online.
Imagine receiving an email from the White House, you’d be super amazed at being a recipient. Yet, it could be that the email you received looks like it is from the White House but in actuality is from another malicious source.
Such an identity misrepresentation could take place through a classical email spoofing attack in which the “From” value of the mail received is tampered with. To tackle this, we have two rules in place that help prevent such spoofing:
Sender Policy Framework (SPF)
Domain-based Message Authentication, Reporting, and Conformance (DMARC).
This helps email providers prevent attackers from using their services to send such fake emails and at the same time informs users if a suspicious tampered email finds its way into their inbox. However, what happens when a spoofed email also evades these rules and gets to the user regardless? Unless you check really closely, you may just fall for it.
See: Google admits third-party app developers read your Gmail emails
This is exactly what happened recently according to a report by researcher Allison Husain with users being able to send spoofed emails which were interpreted as being completely compliant with both SPF and DMARC standards.
Furthermore, by using custom email routing rules, a user could also change the email recipient’s address redirecting any incomi ..
Support the originator by clicking the read the rest link below.
