Google has fixed an issue that allowed third parties to send emails on behalf of someone else’s addresses through the Gmail and G Suite servers. The bug was reported 137 days ago, but was not fixed until the details of the issue were published.
The problem was in the G Suite management console, which allows incoming mail to be routed via ‘Default routing’ in the Gmail settings. There is an option to change the recipient, username and domain name of the incoming mail. Security researcher Allison Husain found that the console did not validate whether the routing person actually owned the email address and domain.
Only when using the strict authentication technique dmarc did the spoofing fail, but Husain was able to circumvent this too. This technique validates whether a message from the sender’s domain was indeed allowed to be sent from there. By a inbound gateway At the G Suite admin panel and adding one or more IP addresses, it turned out to be possible to skip the dmarc validation because that validation would have to take place at the inbound gateway. Precisely because the spoofing went through the trusted Google servers, the bug could have been widely exploited for spamming, for example, because filters would then let messages through.
Husain discovered the problem on April 1 and notified Google on April 3. If she finds out on August 1 that the problem is still there, she will inform Google that it plans to publish the details on August 17. Despite promises that a fix is on the way, it is not forthcoming and the details will be online on August 19. Seven hours later, Google will implement a patch. Husain congratulates the Google security team and says that they have had further good communication with the team.