Skip to main content

Gmail’s blue checkmarks were abused by scammers almost immediately, changes coming

Less than a month ago, Google debuted a new blue checkmark verification system for Gmail to help prevent scam emails, and scammers have already figured out how to abuse the system.

Gmail first launched its blue checkmarks last month, with the functionality allowing businesses to verify their marketing emails and other messages to help make it more obvious which emails are “official.” It’s a great idea, in theory, but as has now been pointed out, it doesn’t really work all that well.

Chris Plummer, a senior cybersecurity architect for Dartmouth Health, took to Twitter last week to disclose a problem with Gmail’s blue checkmarks that shows it’s possible to fake these badges.

Gmail’s system uses Brand Indicators for Message Identification (BIMI) as well as DMARC (Domain-based Message Authentication, Reporting, and Conformance) and a VMC (Verified Mark Certificate) issued by a certification authority, such as Entrust or DigiCertto, to verify both the logo and the domain attached.

Plummer doesn’t go into specifics on how scammers got around the system but offers an example of an email – complete with more detailed information – that was using the UPS logo with a domain that included “ups.com” to fake a checkmark on an email that clearly wasn’t official.

Frustratingly, a bug report from Plummer was initially marked as “intended behavior” by Google, but the company later reversed that stance and reopened the issue. That leaves the door open to a fix, but no timeline on the matter.

A system like this has obvious benefits, but scammers are persistent. It’s not surprising that a loophole was found.

In a statement provided shortly after this story was initially published, Google further explains that this issue is coming from a third-party vulnerability, and that, in response, Google will require senders to use the DomainKeys Identified Mail (DKIM) authentication standard to qualify for blue checkmarks. That new requirement will be rolled out by the end of this week.

This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are. To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status

More on Gmail:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Schoon Ben Schoon

Ben is a Senior Editor for 9to5Google.

Find him on Twitter @NexusBen. Send tips to schoon@9to5g.com or encrypted to benschoon@protonmail.com.


Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications