Google Apps has become an increasingly popular set of productivity tools for business users, but the discovery of a flaw that could allow cybercriminals to conduct email spoofing using the admin console may have some early adopters concerned.
Security researchers Patrik Fehrenbach and Behrouz Sadeghipour explained in a blog post how they found an imperfection that involves using a Google Apps domain name that hasn’t already been claimed by a customer. In a series of tests, they were able to commit email spoofing — in other words, sending out messages through someone else’s Google Apps domain.
Although there is no evidence cybercriminals have exploited the flaw, it represents a particularly dangerous threat. In many attempts to spread malware via email, cybercriminals are often forced to create phony or suspicious-looking addresses that may not look enough like the real thing. In this case, the Google Apps admin tool could let anyone impersonate a legitimate organization much more effectively if, for example, they were committing phishing attacks.
Likely to underscore the severity of the threat, researchers used the flaw to commit email spoofing from domains related to Google itself. ZDNet reported that “[email protected]” and “[email protected]” were among the variations used. It’s little wonder Google wasn’t just quick to fix the problem, but to award the researchers a prize of $500.
Unfortunately, this isn’t the first security issue involving Google’s business tools. As SecurityWeek pointed out, the admin console has also been plagued by a cross-scripting vulnerability as recently as two months ago. The fact that Google fixed the email spoofing problem by simply adding “[email protected]” for unverified domains shows how simple some of these attacks are becoming.
It’s also rather ironic that, in December, Google introduced a series of enterprise security features for Google Apps. These included a Devices and Activities Dashboard, as explained by the Financial Post, that would help administrators monitor for questionable behavior. Nevertheless, one might argue that hijacking email domains could be even worse.
Over the next week, Google may offer a more comprehensive fix for email spoofing, The Hacker News said. In the meantime, it’s always best to consider that, if an email message looks a little off, it probably is.
Image Source: Flickr