Google fixes serious email authentication bug - make sure you're not affected

(Image credit: Google)

Google says that it has fixed an issue in Gmail that saw scammers impersonating a legitimate, and more importantly, verified company, but fortunately, it looks like no users were harmed.

The email service provider just recently expanded on the BIMI email authentication program it launched almost two years ago by allowing certain eligible companies to show a blue checkmark next to their name, in a bid to help users distinguish safe emails in the inbox.

The emails in question appeared to come from delivery giant UPS, however fortunately, The Register reports that no malicious payload was included.

Gmail authentication hacked

BIMI requires that participating companies adopt Domain-based Message Authentication, Reporting, and Conformance (DMARC) as well as either Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM).

A vulnerability in SPF is to blame for allowing scammers to pretend to be UPS, even adopting the company’s logo and blue checkmark, according to Chris Plummer who shared their findings via a Tweet.

The thread details Google’s initial response, along the lines of “won’t fix - intended behavior,” before pressure from Plummer and the Internet saw it rethink its stance. A later communication from Google to Plummer reads:

“After taking a closer look we realized that this indeed doesn’t seem like a generic SPF vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on.”

Google apologized to Plummer for its initial response, which it said “might have been frustrating,” and thanked the Twitter user for “pressing on for [Google] to take a closer look.”

While this example in isolation appears not to have caused any trouble, it’s unclear how many other accounts have been impersonated and how many email users have fallen victim to other scams.

A Google spokesperson told TechRadar Pro:

"This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are. To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status."

Google confirmed that the change has now been fully rolled out.

Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!