The most people use Gmail, which has a total user base of a staggering 1.5 billion people. This represents 18.75% of the total population of the planet. The security mechanisms of Gmail are well-known for their effectiveness in preventing hackers from gaining control of user accounts.
Gmail has included a new function that displays an authorized brand with a blue verified tick, such as Apple, Google, or another company. This mechanism was put into place to differentiate between emails sent by spammers and those sent by genuine businesses.
However, threat actors have discovered a new method to misuse this functionality by sending spam emails that have a blue confirmed tick attached to them. The Gmail Checkmark System is a tool that was launched to assist users in defending themselves against impersonators and spam emails. Chris Plummer, a security researcher, uncovered this flaw, and he subsequently informed Google of his findings.
Unfortunately, this problem has been reacted to as “Intended Behaviour” and commented on as “Will not Fix.”
The researcher, on the other hand, offered an explanation in which he said that the email’s route was not a legitimate one. According to the statement made by Chris Plummer, “The sender discovered a way to trick gmail’s authoritative stamp of approval, which end users will trust.” I received this message on O365 after it originated from a Facebook account that was located in the United Kingdom. Nothing of this is even somewhat credible.
Following a string of tweets sent out by the researcher, Google decided to make addressing this problem their top priority (P1) and is presently hard at work finding a solution. In addition, Google expressed regret for its original answer and said, “After taking a deeper look, we found that this certainly doesn’t appear like a general SPF issue. As a result, we are revisiting this, and the relevant team is having a closer look at what has been going on. We sincerely appreciate you for insisting that we take a more in-depth look at this matter, and we would like to extend our apologies once again for the misunderstanding. We are aware that our original reaction may have been one of irritation.
Every researcher is devoting a significant amount of work to discovering vulnerabilities of high significance in large technology businesses. Any security researcher and his work will be made to seem bad if the company in question closes high-priority issues in a flash and mentions that they “Won’t fix” them.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
