



Google launched a Priority 1 investigation after initially ignoring the Gmail security vulnerability as an intended behavior that did not require a fix.

This vulnerability is related to the Brand Indicators for Message Identification (BIMI) email authentication method. The feature was introduced by Google to his Gmail in 2021, but only recently rolled out to all of his 1.8 billion users of the company’s email service.

BIMI will display a blue check mark verification symbol in an email if it verifies that the brand logo displayed as the sender’s avatar matches the company claiming to be sending the email. BIMI is not just Google’s, it’s a broad-member working group that supports validation standards. This flaw, which has been brought to Google’s attention, only affects Google’s own BIMI implementation.

Anti-spoofing, at least in theory

When Google announced on May 3 that it was making BIMI broadly available to all Google Workspace customers and personal Google account users, the company emphasized the security benefits of the feature.

This will help users distinguish between messages from legitimate senders and those from impostors, Google said.

Strong email authentication helps users and email security systems identify and block spam, while also allowing senders to leverage brand trust. This increases trust in your email source, provides an immersive experience for your readers, and builds a better email ecosystem for everyone.

Gmail Google Workspaces is a popular personal and business email platform, so users of the service are natural targets for attackers.

Less than a month after deploying BIMI across the platform, Chris Plummer, a security architect in New Hampshire, discovered a malicious spoof that was incorrectly marked as being sent by UPS. I received the email in my Google inbox.

The ups and downs of BIMI

Plummer said on Twitter that he alerted Google of the vulnerability through its bug bounty program, but the company rejected his report with the message that “intended behavior will not be fixed.”

The sender found a way to trick @gmail’s authoritative stamp of approval that the end user trusts. This message reached UK netblocks, O365 and me from her Facebook account. Nothing about this is legal. Google just doesn’t want to treat this report honestly.

— Plum (@chrisplummer) June 1, 2023

How do scammers intend to impersonate @UPS in such a convincing way?[?] he wrote The sender has found a way to trick the @gmail authoritative stamp of approval that his users trust. This message reached UK netblocks, O365 and me from his Facebook account. Nothing about this is legal.

Plummer posted an email header showing that the spoofed message failed another verification method, the Sender Policy Framework (SPF) authentication process.

After his tweet went viral, Google’s security team contacted Plummer and told him they had changed their minds about the bug bounty claim.

Upon closer inspection, we found that this does not appear to be a common SPF vulnerability. Therefore, we have reopened this and the appropriate teams are looking into what is happening, their message said.

it’s a bug not a feature

Once again, we apologize for the confusion. We also understand that our initial response may have caused you some inconvenience. Thank you for your detailed investigation.

Plummer posted a screenshot showing the investigation being assigned a priority P1 status by Google.

A Twitter user commented on Plummer’s post, saying that the problem appeared to be that UPS’s main domain had an SPF record and that the spoofer used a related subdomain to circumvent that protection.

That subdomain does not have an SPF record and SPF is not intended to be inherited by subdomains. Perhaps you’re using subdomains and that’s why you’re having issues.

Another Twitter user said the email appears to be BIMI compliant as it meets the requirements of the Domain Message Authentication Report and Conformance (DMARC) authentication method.

Meticulous planning of DMARK and SPF

UPS passed DMARC because they use Microsoft for their email (because the email is in their SPF record). So all you have to do is send from any Microsoft account.

Another commenter said, “Gmail can’t fix this fact.” [Microsoft] deliberately delivered [an email] We knew that SPF and DMARC would fail.

Plummer told Manchester Inc. Link he doesn’t understand why Google would get into the email verification business.

What’s interesting is that they boldly included their names in some of these communications. [about the security benefits of the BIMI feature] Relying on incomplete standards beyond Google’s control.

He said he learned via LinkedIn on June 2 that UPS had taken action as a result of him reporting the vulnerability to Google.

“I can’t believe it,” he said. It’s a situation where everyone works together. I couldn’t believe that the research I did forced a company like UPS to change their infrastructure and actually made Google interested in changing their product.

