Scammers Can Obtain a Gmail Blue Checkmark
One of the best selling points of Gmail is its security. Unfortunately, the security features are not perfect. Case in point, hackers had found a way to get Gmail to verify their fake email to scam users.
Gmail Checkmark System
Google introduced Brand Indicators for Message Identification in Gmail in 2021. This is a feature that requires senders to verify their brand logo to display a brand logo in emails.
As a result, users can see a checkmark icon for senders. The icon adopted BIMI which helps users distinguish between legitimate senders and impersonators. Unfortunately, scammers have found a way to trick the system.
At first, Google dismissed the issue. It described it as intended behavior that would not need a fix. However, it later retracted the statement and launched a Priority 1 investigation.
As mentioned, the vulnerability is related to the BIMI email authentication method. It just rolled out to 1.8 billion users.
A blue tick verification symbol is not exclusive to Google. Rather, it is being used by various platforms as part of their ongoing efforts to boost verification standards. But the Gmail flaw affects the implementation of its BIMI.
The cause is a third-party security vulnerability. It lets bad actors appear more trustworthy than they are. Thus, Google now requires senders to utilize DomainKeys Identified Mail (DKIM). It is a more robust authentication standard. Using it will qualify senders for their BIMI status.
When the company announced it on May 3, it emphasized its security benefits. It declared that users can easily identify messages from legitimate senders from impersonators.
With strong email authentications, both users and email security systems can stop spam and enables senders to take advantage of their brand trust. It increases confidence in email sources.
Then again, less than a month after Google introduced BIMI across the platforms, Chris Plummer, a security architect, received spam emails in his Google inbox. They have been incorrectly check-marked.
“The sender found a way to dupe @gmail’s authoritative stamp of approval, which end users are going to trust. This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit. Google just doesn’t want to deal with this report honestly.”
He alerted Google about this bug. However, Google rejected it for the reason “won’t fix – intended behavior.”
His tweet went viral causing Google to have a change of heart over the bug bounty claim.
Security researchers are now starting to understand how scammers trick Gmail’s checkmark verification system.
“Gmail’s BIMI implementation only requires SPF to match, the DKIM signature can be from any domain. This means that any shared or misconfigured mail server in a BIMI-enabled domain’s SPF records can be a vector for sending spoofed messages with the full BIMI treatment in Gmail.”
It means that Apple Mail users must also be vigilant. The security community criticized this flaw and raised questions about how poorly Google implemented its verification method. Google must release a fix as soon as possible.