Email Spoofing via Google Admin Console
Last month, we were able to report a vulnerability to Google where we were able to email from any domain that has not been claimed by its owner previously. For example, using google itself as a victim, we were able to claim domains such as ytimg.com and gstatic.com.
As you can see below, if you try to send a spoofed mail from another server, the system will recognize that and warn the user:
and if you observe the mail header you can also see that the server is shown to be completely different than the domain:
For this writeup we will use the google-owned domain gstatic.com:
As show in the image above, if you claim the domain via the admin console, you can see that there were no warnings given to the user, and if the user checks the mail headers the server is a trusted server:
So not only we are claiming other domains, we were successfully able to trick the Google Mail Server into accepting a wrong FROM parameter. Google patched this vulnerability by simply with applying a FROM email@example.com:
However you can still claim any domain and have access to the admin console through out the “validation process” and that is by design.
Thank you for reading!