Google fixes Gmail spoofing vulnerability

[German]In Google's email service Gmail wad a spoofing vulnerability that could have been used to send mail through someone else's account. Google has now eliminated this vulnerability after an exploit became public.


Security researcher Allison Husain encountered the problem and has documented it in this blog post. Due to lack of verification when configuring mail routes, both Gmail's strict DMARC/SPF policy and the strict DMARC/SPF policy of every G Suite customer can be circumvented. This can be done by using G Suite's mail routing rules to forward fraudulent messages and give them authenticity.

In particular, this is not the same as the classic mail spoofing of the past, where an arbitrary value is assigned to the From header, a technique that can be easily blocked by mail servers using the Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Compliance (DMARC). This issue is a unique flaw in the Gmail system that allows an attacker to send email like any other G Suite user or customer, while complying with even the most restrictive SPF and DMARC rules.

Allison Husain discovered the bug on April 1, 2020 and reported it to Google on April 3, 2020. Google confirmed the problem, classifying it as a priority 2, severity 2 bug, but did not change anything. Then Allison Husain published the vulnerability along with a proof of concept (PoC) in her blog. Seven hours later, the vulnerability was patched by Google, as the security researcher writes. has published this post on the subject.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *