Google Takes Action After Bug Enables Scammers to Bypass Security Checks on Gmail
Gmail users must exercise caution as a recent bug has compromised account security. It is advisable to scrutinize new emails and refrain from opening suspicious ones. Google introduced verified checkmarks last month to authenticate select senders and display a blue tick next to their names. This feature serves as an added security measure, requiring senders to use robust authentication and authenticate their brand logos to display as an “avatar” in emails. Despite this, scammers have managed to bypass the Gmail security check and trick the system into recognizing their brand as genuine.
Dartmouth Health security engineer Chris Plummer discovered this bug in Gmail. “A sender has found a way to fool Gmail’s authorized seal of approval, which end users trust. This message went from a Facebook account to netblock in the UK to O365 for me. Nothing here is legal. Google just doesn’t do that,” the security researcher tweeted.
Plummer revealed that when he first discovered the issue, Google thought it was “intentional behavior.” However, after his tweets gained a lot of attention, the company realized its mistake and admitted the mistake. A screenshot of Google’s security team’s response, shared by Plummer, reads: “Once we took a closer look, we realized this really didn’t look like a common SPF vulnerability. So we’re reopening this and the appropriate team will take a closer look at what’s going on.”
Is the Gmail error fixed?
According to Plummer, Google has now classified the bug as “P1”, the highest priority fix, and is currently being worked on as an ongoing process.
Therefore, you need to be extra careful when receiving emails from scammers who send messages from fake accounts. Just know that these might not be legitimate Gmail accounts because of this error and scammers are out to trick you into doing what they want.