Email spoofing allowed by Google Apps Admin security hole

Researchers Patrik Fehrenbach and Behrouz Sadeghipour last month identified a vulnerability in the Google Apps Admin console – which allows administrators to manage their organisation’s Google Apps account – that could have been exploited to gain temporary ownership of any unclaimed domain and send malicious emails.

Demonstrating the vulnerability, Fehrenbach and Sadeghipour targeted two domains owned by Google itself: ytimg.com and gstatic.com. They then used these domains to send out emails that appeared to come from the email addresses admin@ytimg.com and admin@gstatic.com.

“[If] you claim the domain via the admin console,” they explained, “there were no warnings given to the user, and if the user checks the mail headers the server is a trusted server. So not only we are claiming other domains, we were successfully able to trick the Google Mail Server into accepting a wrong FROM parameter.”

In other words, attackers exploiting this flaw could have sent malicious emails that would not be flagged as suspicious because they came from trusted servers. Unsuspecting users could have inadvertently installed malware, or could have been taken in by a phishing attack.

Security Week reports that “Fehrenbach and Sadeghipour said they could even claim domains belonging to major banks and use them to send out emails. This could have been highly effective for phishing attacks because the emails looked like they had been sent from a legitimate bank email address, and Gmail would not warn recipients that the messages might be coming from a spoofed address.”

Google has now addressed the vulnerability – simply by changing the FROM email address to no-reply@google.com.

Phishing awareness

Spreading malware via phishing emails is one of the most common means of attack used by cyber criminals. CYREN’s recently released 2015 Cyberthreat Yearbook found that there was a 233% rise in the number of phishing emails from 2013 to 2014.

Organisations should ensure that their staff are properly trained to recognise phishing scams, and exercise caution when clicking links in unsolicited messages.

IT Governance’s Employee Phishing Vulnerability Assessment will identify potential vulnerabilities among your employees and provide recommendations to improve your security, giving you a broad understanding of how you are at risk and what you need to do to address these risks.

Click for more information >>