Email Spoofing via Google Admin Console

Last month, we were able to report a vulnerability to Google where we were able to  email from any domain that has not been claimed by its owner previously. For example, using google itself as a victim, we were able to claim domains such as ytimg.com and gstatic.com.

As you can see below, if you try to send a spoofed mail from another server, the system will recognize that and warn the user:


spam

and if you observe the mail header you can also see that the server is shown to be completely different than the domain:

spam1

For this writeup we will use the google-owned domain gstatic.com:

gstatic2

As show in the image above, if you claim the domain via the admin console, you can see that there were no warnings given to the user, and if the user checks the mail headers the server is a trusted server:


gstatic

 

 

So not only we are claiming other domains, we were successfully able to trick the Google Mail Server into accepting a wrong FROM parameter.  Google patched this vulnerability by simply with applying a FROM no-reply@google.com:

fail

However you can still claim any domain and have access to the admin console through out the “validation process” and that is by design.

 

Thank you for reading!

19 comments

  1. Pingback: Hacker Abuses Google Apps vulnerability for Sending Phishing Emails | Security news
  2. Pingback: Hacker Abuses Google Apps vulnerability for Sending Phishing Emails - DigitalMunition
  3. Pingback: Email Spoofing Flaw Found in Google Admin Console | Security news
  4. Pingback: Email Spoofing via Google Admin Console | Naham...
  5. Pingback: Hackers Abuse Google Apps flaw to run phishing campaignsSecurity Affairs
  6. Pingback: Hackers Abuse Google Apps flaw to run phishing campaigns | INSECURE-LABS... Security is our concern
  7. Pingback: Hackers Abuse Google Apps flaw to run phishing campaigns - Systerity
  8. Pingback: Hackers Abuse Google Apps flaw to run phishing campaignsSecurity Affairs | DF Sandbox
  9. Pingback: Email Spoofing via Google Admin Console | vyagers
  10. Pingback: Email spoofing security hole discovered in Google Admin console
  11. Pingback: ste williams – White-listed phish slip through Google Apps
  12. Pingback: Google Admin Console has a Security Flaw
  13. Pingback: Email spoofing security hole discovered in Google Admin console | ADDIEHF
  14. Pingback: Hacker misuses Google Apps vulnerability for sending phishing emails | Digital Security Alerts
  15. Pingback: Google漏洞可伪造域名邮箱钓鱼 – ThinfoSec.COM关注通化信息安全
  16. Pingback: White-listed phish slip through Google Apps
  17. Pingback: Google Apps for Work working for phishers? - IT Manager Daily
  18. Pingback: Hacker Abuses Google Apps vulnerability for Sending Phishing Emails - ارشيف تويتر
  19. Pingback: s4shahroze.tk | Hacker Abuses Google Apps vulnerability for Sending Phishing Emails

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>