- 7h3h4ckv157
Disclaimer:
Please note that this blog is purely intended for educational purposes. I don’t endorse or promote any malicious activities or hacking attempts. My goal is to raise awareness about security risks, while the title may sound provocative, rest assured that my intentions are purely informative and aimed at enhancing “cybersecurity knowledge”
Hey Info-Sec mates,
In this digital age, our lives are intertwined with the virtual realm, and our online identities play a noteworthy role in our daily interactions. Today, I invite you on a thrilling journey as we delve into the intriguing world of G-mail security and explore the secrets of impersonation within one of the most popular platforms. So, grab your virtual seat and let the exploration begin!
For years, this has silently resided within the vast realm and its existence is thoroughly undervalued. The magnitude of this issue is both alarming and disconcerting, as it even permits the impersonation of G-Mail individuals, including you.
Attack scenario
Anyone can send emails impersonating any legitimate G-mail users without their knowledge. Thus confirmed: G-mail Users can be impersonated, including: celebrities, politicians (even the Indian Prime Minister), president, etc.
This will help the malicious hackers to perform critical exploitation.
Important point: G-Mail’s Spam Filter was unable detect this
Please note: I carried out this action myself to emphasize the significance of the issue to Google during my reporting period. I urge you not to imitate such behavior in real-world settings or engage in any form of malicious activities.
I reported the case to @GoogleVRP, But their response was: Won’t Fix.
Reasons:
- Can’t force third party SMTP to stop sending fake emails.
- G-mail displays a “via server[.]name”
- G-mail’s Filter will catch such spoofed mails
Sounds reasonable, right? But unfortunately, you’re wrong!
Points to note:
- G-mail must not consider 3rd part server, but while the attacker use existing G-mail accounts for spoofing, the receiver’s end must not see the display picture of legitimate user (which one is not even settled by the attacker)
- Simply, The mail coming without authorization (Outside G-mail) consist of “@gmail.com” shouldn’t display the profile picture
- Checking the standard encryption (TLS) details for every incoming mails isn’t possible for normal users. They’re not aware of that.
- From mobile (Both Android & IOS) it’ll always looks like originating from actual G-mail account.
- Sample Screen-Shot from Android ↓
- “via server[.]name” is 404
- It’s look like originating from G-Mail, isn’t it?
- Proof of Concept shows all filter checks bypasses and additionally the case verified by my friend Raidh Ĥere & Sir, LiveOverflow
The same link & steps I provided to Google)
Credit: https://x-it.medium.com/how-to-spoof-email-for-free-guide-a5fe0c6ee631
And, Interestingly, I saw this tweet of GoogleVRP (after closing my report) The tweet is about the bonus (to any valid G-Mail Bug):
It really triggered my mind.
I posted a Tweet regarding the case without disclosing any information about the issue:
After that, they reopened my report: — Mark it as Triaged (Re-Opened) 01.06.2023
I was so happy at that moment.
Things went different after this. I had noticed interesting things on twitter:
Not comparing, but such cases were marked as P1 and accepted.
My point was I’m able to use other G-mail accounts. And specifically, the replies went direct to legitimate users as well. I asked GoogleVRP about that.
More Info:
In the context of G-mail, the algorithm incorrectly identifies certain emails as originating from a legitimate account from the receiver’s perspective. Consequently, any responses to these unauthenticated emails are delivered directly to the inbox of legitimate users.
This issue is specific to G-mail and does not occur in Yahoo (Yahoo detects Unauthorized mails). It is a clear problem that requires a resolution. As an avid user of G-mail on a daily basis, I kindly requested to address the issue.
The next Incident was: G-mail profile picture not showing
During a certain period of time, G-mail users experienced an issue where their profile pictures were not being displayed. This technical glitch caused frustration and confusion for many users. The issue affected both the G-mail web interface and various mobile platforms where the G-mail app is used. Users across different devices and operating systems reported this problem, indicating that it was not limited to a specific platform.
After a period of inconvenience, G-mail users eventually saw the return of their profile pictures. Google resolved the issue, ensuring that profile pictures were once again visible within G-mail accounts. Sometimes, it may occur again, Who knows!
I’m clear at the point, they were decoding based on the report I’d submitted. I asked them about the update, then this thing happened:
The Neat Part: (They Fixed)
Upon becoming aware of the impersonation bug, Google’s security team swiftly swung into action. They diligently worked to understand the underlying causes and devised an improved spam filtering mechanism to mitigate the vulnerability.
The recent enhancement in G-mail’s spam filtering system by Google represents a significant stride in combating email impersonation and fortifying cybersecurity defenses. By leveraging advanced algorithms, the tech giant has demonstrated its commitment to ensuring user safety and privacy.
Although my report may not receive recognition, it is crucial to acknowledge Google’s team, the combined efforts being undertaken to enhance the security of G-Mail. Let us persevere in our vigilance, reporting vulnerabilities, and actively contribute to the construction of a safer online environment.
- They echoed the previous statement without providing explanations for the mobile view context I mentioned.
- Additionally, No need for that. The Spam Filter caught such mails (Both IOS & Android) and no need to dig there more.
As I conclude, I cannot deny a tinge of sadness, yet I hold great respect for Google’s decision.