Gmail is tightening its implementation of an email security protocol after a researcher discovered a flaw allowing brands to be impersonated.
Gmail’s system uses Brand Indicators for Message Identification (BIMI) as well as DMARC (Domain-based Message Authentication, Reporting, and Conformance) and a VMC (Verified Mark Certificate) issued by a certification authority, such as Entrust or DigiCertto, to verify both the logo and the domain attached.
How BIMI works?
BIMI safeguards brands’ reputations by granting them control over their representation in messaging services through logo display and authenticated emails
Google transitioned to DKIM after security architect Chris Plummer discovered the vulnerability in Gmail’s SPF in late May. Due to the vulnerability, SPF authenticated a non-authenticated email by mistake, allowing a fraudulent email from a supposedly verified UPS sender.
Up until this week, Google also used BIMI’s requirements for senders: DMARC alignment with either SPF or DKIM.
The DKIM method, on the other hand, prevents email spoofing by adding a digital signature to outgoing emails, allowing recipients to verify if the domain owner authorizes the email.
The attacker appeared more trustworthy by exploiting the vulnerability because they could display the UPS logo and blue checkmark, making it look like Google verified them.
There was a problem with Gmail’s delivery. Plummer reported the bug to Google. He explained that a malicious sender tricked Gmail into thinking the email was from UPS, but it actually went through other sources before reaching Gmail.
“The sender found a way to dupe @gmail’s authoritative stamp of approval, which end users are going to trust,” Plummer said in a subsequent tweet.
The message came from a Facebook account and went through third-party infrastructure (fa83.windbound.org.uk) before reaching Gmail via O365. It’s highly unlikely that UPS actually sent this message.
The spoof email didn’t contain a harmful payload, but if it had, it would have looked authentic to users. Initially, Google ignored the bug report, claiming it was intended behavior. But after media attention, they seemed to change their stance.
The extent of malicious use and victimization is unknown. BIMI acknowledged the issue and attributed it to a known problem with SPF.
The brand authentication program “is working exactly as designed,” it added. And this recent Gmail incident highlights “long-standing edge cases” that still need to be fixed.