Google says that it has fixed an issue in Gmail that saw scammers impersonating a legitimate, and more importantly, verified company, but fortunately, it looks like no users were harmed.
The email service provider just recently expanded on the BIMI email authentication program it launched almost two years ago by allowing certain eligible companies to show a blue checkmark next to their name, in a bid to help users distinguish safe emails in the inbox.
The emails in question appeared to come from delivery giant UPS, however fortunately, The Register reports that no malicious payload was included.
Gmail authentication hacked
BIMI requires that participating companies adopt Domain-based Message Authentication, Reporting, and Conformance (DMARC) as well as either Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM).
A vulnerability in SPF is to blame for allowing scammers to pretend to be UPS, even adopting the company’s logo and blue checkmark, according to Chris Plummer who shared their findings via a Tweet.
The thread details Google’s initial response, along the lines of “won’t fix – intended behavior,” before pressure from Plummer and the Internet saw it rethink its stance. A later communication from Google to Plummer reads:
“After taking a closer look we realized that this indeed doesn’t seem like a generic SPF vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on.”
Google apologized to Plummer for its initial response, which it said “might have been frustrating,” and thanked the Twitter user for “pressing on for [Google] to take a closer look.”
While this example in isolation appears not to have caused any trouble, it’s unclear how many other accounts have been impersonated and how many email users have fallen victim to other scams.
Google did not immediately respond to TechRadar Pro’s request for an update on the matter.