Our CyberOPS team did it again.
Every two weeks, we hold a ‘Bug Bounty’ event: Between 4pm and 8pm, we order pizza and beers, and go digging for security flaws; We define a target that has a bug bounty program, and our objective is to find security issues on our target’s assets.
In the past, we’ve found several bugs on Google, eBay, Yandex, Yahoo, and the likes.
Who was our target this time? Google.
The flaw that we found (shown above) allows an attacker to send emails on behalf of Google.com (firstname.lastname@example.org) with the ability to change the email’s recipient, subject, or body.
Attackers can use this issue in order to send Spam/Phishing Emails to anyone of the 900 Million Gmail users on behalf Google Apps, without the need of bypassing Google's anti-spam/Phishing controls.
Google’s Official Response:
We have notified the team about this issue; they will review your report and decide whether they want to make a change or not. Thanks for letting us know. Regarding our Vulnerability Reward Program, the panel decided this issue has very little or no security impact, and therefore we believe that it is not in scope for the program, so we won't be issuing a reward at this time.
Google Security Bot
What’s the Big Risk Factor?
Google has a lot of powerful security mechanisms in place; these protect their users from phishing, email manipulations, spam emails, etc.
Logically, Google’s security mechanisms are very difficult for hackers (whether they’re sophisticated or not) to bypass.
However, in this case, the flaw allows an attacker to generate an email that passes Google's SPF and DKIM record checks which are impossible to bypass. As an example we attempt to spoof the same email with another advanced spoofing technique, and the attempt failed because of the DMARC Policy.
[DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication protocol. It builds on the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email.]
Reproducing the Attack
In order to carry out the phishing attack, a threat actor needs to access their Google apps admin console.
Once logged-in, navigate to the "Users" section and choose a user that is not yet activated.
Click the "Getting started Instructions" link. Once clicked, a popup window will be shown, clicking the "Send Email" button will get you to the last part of this attack.
The original email can now be edited to suit the attacker’s needs. If the attack combined some social engineering and reconnaissance, the email could be crafted to achieve 99% open rates. As you can see below, the email can be modified with a new recipient, subject and email body – All built on Google’s legitimate user (email@example.com)
And here is the email in your inbox, no spam or phishing warnings provided by Google’s great security mechanisms!
The CyberOPS Team.