According to a recent shareholder letter from…
It is reported that the vulnerability allows attackers to send fraudulent emails that mimic any Gmail or G Suite customer.
Allison Husain also noted that the vulnerability also helps email attachments to bypass the Sender Policy
Framework (SPF) and Domain-based Mail Authentication (DMARC), the two most sophisticated email security requirements.
Regrettably, the search giants were not aggressive enough to remedy the vulnerabilities, and even wanted to postpone them to September before they were officially fixed.
It wasn’t until Allison Husain revealed the blog’s proof-of – concept bug code that Google engineers yesterday modified their ideology.
Seven hours after the blog post went live Google told Allison Husain that the company had implemented server-side mitigation measures.
As for the Gmail (G Suite) bug itself, it is actually a combination of two factors. The first is that the attacker can send deceptive emails to the back-end gateway.
The second is to use custom mail routing rules to receive incoming e-mails and forward them, and to deceive Gmail or G Suite customers with the help of local features of changing recipients
The advantage of using this feature for forwarding is that Gmail / G Suite complies with SPF and DMARC security standards to verify fraudulently sent emails. Since it has its roots in the Google’s backend, its spam score may also be low, reducing the potential for filtering system to intercept.
Allison Husain said those two bugs are unique to Google. If the bugs aren’t patched in time, malicious email senders likely abuse them. Fortunately, by deploying server-side mitigation measures,
users do not have to carry out any additional operations