Email Spoofing via Google Admin Console

Last month, we were able to report a vulnerability to Google where we were able to  email from any domain that has not been claimed by its owner previously. For example, using google itself as a victim, we were able to claim domains such as ytimg.com and gstatic.com.

As you can see below, if you try to send a spoofed mail from another server, the system will recognize that and warn the user:


spam

and if you observe the mail header you can also see that the server is shown to be completely different than the domain:

spam1

For this writeup we will use the google-owned domain gstatic.com:

gstatic2

As show in the image above, if you claim the domain via the admin console, you can see that there were no warnings given to the user, and if the user checks the mail headers the server is a trusted server:


gstatic

 

 

So not only we are claiming other domains, we were successfully able to trick the Google Mail Server into accepting a wrong FROM parameter.  Google patched this vulnerability by simply with applying a FROM [email protected]:

fail

However you can still claim any domain and have access to the admin console through out the “validation process” and that is by design.

 

Thank you for reading!

1 comment
  1. […] The researchers explained in the blog post: […]

Leave a Reply