Gmail’s security has always been one of its biggest selling points, but now one of the hottest new security features is being actively used by hackers to trick users.
submitted last month, Gmail check mark system Highlights verified companies and organizations for users with a blue checkmark. The idea is to help users distinguish legitimate emails from those that might be sent by impersonators carrying out scams. Unfortunately, scammers cheated the system.
Monitored by a cyber security engineer Chris PlummerScammers have found a way to convince Gmail that their fake trademarks are legitimate. And in doing so, by using the trust that the checkmark system is supposed to instill against Gmail users.
“The sender has found a way to spoof gmail’s approved stamp of approval, which end users will trust,” Plummer explains. “This message went from the Facebook account, to the UK netblock, to O365, to me. Nothing about this is legit.”
Plummer reports that Google initially dismissed his discovery as “intentional behavior” before his tweets about it went viral, and the company acknowledged the error. In a statement to Plummer, Google wrote:
“After taking a closer look, we realized this actually didn’t look like a general weakness in the SPF. So we’re reopening this, and the appropriate team is taking a closer look at what’s going on.”
We apologize again for the confusion and understand our initial response may have been frustrating, thank you so much for pressuring us to take a closer look at this!
We’ll keep you posted with our assessment and the direction this issue takes.
Regards, Google Security Team”
Plummer Highlights Google has now listed the bug as a “P1” (high priority) fix, which is currently “in progress”.
Big credit goes to Plummer, not only for discovering it, but for the lengths he went to to get Google to acknowledge the problem. However, until Google fixes it, Gmail’s checkmark verification system remains broken and hackers and spammers use it to trick you into the exact thing it was supposed to be combating. Be vigilant.
___
Follow Gordon on Facebook
More on Forbes