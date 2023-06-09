



Google said it fixed a flaw that allowed scammers to masquerade as UPS delivery service on Gmail after the data aggregator web giant labeled bogus emails as real.

This issue was caused by an issue in an email authentication program called Brand Indicators for Message Identification (BIMI). This program is intended to protect email users from brand impersonation and phishing attacks that pretend to be from a trusted organization. BIMI also protects senders from reputational damage if their name or logo is used in cyberattacks.

BIMI, and email providers such as Google that support it, use email authentication standards such as Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC), and DomainKeys Identified Mail (DKIM). to do this. BIMI requires participating brands to adopt DMARC along with SPF or DKIM.

Google began supporting BIMI in July 2021 and implemented blue checks for verified senders last month.

Until this week, Google also used BIMI’s requirements for senders, ie DMARC alignment with SPF or DKIM.

The switch to DKIM was made after security architect Chris Plummer discovered a bug in SPF in late May. He found emails purporting to come from his verified UPS sender with the logo of a logistics giant and Google-verified blue checks to be fraudulent. The problem was he SPF vulnerability that upgrades unauthenticated emails to make them real.

“This issue stems from a security vulnerability in a third party that makes it appear more trustworthy than it actually is to bad actors,” a Google spokesperson told The Register. “To keep our users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to obtain a brand indicator (blue checkmark) status for their message IDs.”

Poor delivery on all fronts

Plummer filed a bug report with Google, alerting them to the issue, and shared the report with The Register. Here are some of what he said:

Plummer told The Register that the spoofed email that successfully tricked Google into thinking it originated from UPS did not contain a malicious payload. “But if so, the call will be highly regarded by the end user as genuine.”

Plummer said Google initially ignored his report with a message that it “wouldn’t fix the intended behavior.” However, the increased media attention to this flaw seems to have shaken some people’s minds on the issue.

“What we will never know is how many times it has been abused and used maliciously, how many other brands have successfully spoofed it, and how many users have fallen victim to it. It’s a question of whether or not,” Plummer said.

BIMI addressed the issue in a blog post on Wednesday, claiming the bug was due to “a long-standing and well-known issue with SPF that predates BIMI and even DMARC.”

He added that the brand certification program “is working as designed.” And this recent incident with his Gmail highlighted a “longstanding edge case” that still needs to be fixed.

“We hope that the benefits and required implementation components of BIMI will create further incentives for mailbox providers participating in BIMI (and those that define and implement the standard) to address long-standing gaps in authentication protocols,” said BIMI. the blog said.

