Less than a month ago, Google debuted a new blue checkmark verification system for Gmail to help prevent scam emails, and scammers have already figured out how to abuse the system.
Gmail first launched its blue checkmarks last month, with the functionality allowing businesses to verify their marketing emails and other messages to help make it more obvious which emails are “official.” It’s a great idea, in theory, but as has now been pointed out, it doesn’t really work all that well.
Chris Plummer, a senior cybersecurity architect for Dartmouth Health, took to Twitter last week to disclose a problem with Gmail’s blue checkmarks that shows it’s possible to fake these badges.
Gmail’s system uses Brand Indicators for Message Identification (BIMI) as well as DMARC (Domain-based Message Authentication, Reporting, and Conformance) and a VMC (Verified Mark Certificate) issued by a certification authority, such as Entrust or DigiCertto, to verify both the logo and the domain attached.
Plummer doesn’t go into specifics on how scammers got around the system but offers an example of an email – complete with more detailed information – that was using the UPS logo with a domain that included “ups.com” to fake a checkmark on an email that clearly wasn’t official.
Frustratingly, a bug report from Plummer was initially marked as “intended behavior” by Google, but the company later reversed that stance and reopened the issue. That leaves the door open to a fix, but no timeline on the matter.
A system like this has obvious benefits, but scammers are persistent. It’s not surprising that a loophole was found.
In a statement provided shortly after this story was initially published, Google further explains that this issue is coming from a third-party vulnerability, and that, in response, Google will require senders to use the DomainKeys Identified Mail (DKIM) authentication standard to qualify for blue checkmarks. That new requirement will be rolled out by the end of this week.
This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are. To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status
More on Gmail:
- Gmail for Android and iOS improving search with ‘Top results’
- Google starts rolling out image generation in Slides, more Duet AI for Gmail and Docs
- Gmail tweaks search UI on web to match Android
FTC: We use income earning auto affiliate links. More.
Comments