Gmail recently had a major outage and cause millions around the world.As soon as it came back to online with fixed security bugs. The bug had high impact on both gmail and G Suit go google. This bug was identified by google back in April 2020 but now only its is fixed.
This bug will allow hackers to send spoofed email on behalf of any Gmail and G suit which is mentioned by the security researcher Allison Husain. “This issue is a bug unique to Google which allows an attacker to send mail as any other user or G Suite customer while still passing even the most restrictive SPF and DMARC rules,” said Husain in a blog post.
Giving details on the bug, Husain said that “By chaining together both the broken recipient validation in G Suite’s mail validation rules and an inbound gateway, I was able to cause Google’s backend to resend mail for any domain which was clearly spoofed when it was received.” He added that “This is advantageous for an attacker if the victim they intend to impersonate also uses Gmail or G Suite because it means the message sent by Google’s backend will pass both SPF and DMARC as their domain will, by nature of using G Suite, be configured to allow Google’s backend to send mail from their domain.”
As mentioned by ZDNet, the patch has been rolled out from the server side so Gmail or G Suite users don’t have to do anything.