Google says it has fixed a flaw that allowed a scammer to impersonate delivery service UPS on Gmail, after the data-hoarding web behemoth labeled the phony email as authentic.
The problem stemmed from an issue in an email authentication program called Brand Indicators for Message Identification (BIMI) that aims to protect email users from brand spoofing and phishing attacks claiming to be from a trusted org. BIMI also protects senders from reputational damage if their names and logos are used in a cyber attack.
BIMI, and email providers that support it – including Google – do this via email authentication standards: Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC), and DomainKeys Identified Mail (DKIM). BIMI requires participating brands to adopt DMARC along with either SPF or DKIM.
Google started supporting BIMI in July 2021, and it implemented the blue checks for verified senders last month.
Up until this week, Google also used BIMI’s requirements for senders: DMARC alignment with either SPF or DKIM.
It’s since switched to DKIM after security architect Chris Plummer found a bug in SPF in late May. He spotted that an email purporting to be from a verified UPS sender – complete with the logistic giant’s logo, and the Google-verified blue check – was a scam. The problem was a vulnerability in SPF that upgraded non-authenticated emails, making them authentic.
“This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are,” a Google spokesperson told The Register. “To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status.”
Bad delivery on all sides
Plummer submitted a bug report to Google, alerting it to the issue, and shared the report with The Register. Here’s some of what he relayed:
The spoof email, which managed to trick Google into thinking it originated from UPS, did not include a malicious payload, Plummer told The Register. “But if it had, that call would be highly regarded by an end user as genuine.”
Initially, Google ignored his report, with a “won’t fix – intended behavior” message, Plummer said. However, increased media attention around the flaw seems to have swayed some hearts and minds about the matter.
“What we will likely never know is how many times it was taken advantage of and used maliciously, how many other brands were successfully impersonated, and how many users were victimized by it,” Plummer said.
BIMI, for its part, addressed the issue in a Wednesday blog post, and also blamed the bug on a “long-standing, and well-known, issue with SPF, one that predated BIMI and even DMARC.”
The brand authentication program “is working exactly as designed,” it added. And this recent Gmail incident highlights “long-standing edge cases” that still need to be fixed.
“We hope the benefits of BIMI and the necessary implementation components create further incentives for mailbox providers who participate in BIMI (and those who define and implement the standards) to address these long-standing gaps in authentication protocols,” the BIMI blog said. ®