Cybersecurity Engineer Discovers Gmail Vulnerability Affecting 1.8 Billion Users

Hacker in a hoodie in front of a Gmail logo.
Over the last year, Google has been trying to step up its security game regarding all things Gmail, from client-side email encryption to brand verification measures to help prevent phishing and spam. However, a security researcher discovered an issue with the latter, putting all Gmail users at risk just before the feature was introduced.

tweet cybersecurity engineer discovers gmail vulnerability affecting billions of users

Last week, security architect Chris Plummer discovered that scammers are spoofing Google’s new “Brand Indicators for Message Identification,” or BIMI, system. Per Google’s blog, this is a “feature that requires senders to use strong authentication and verify their brand logo in order to display a brand logo as an avatar in emails.” In theory, this would give people an easy way to spot whether or not an incoming email is legitimate. In practice, however, it's not that simple.

cybersecurity engineer discovers gmail vulnerability affecting billions of users

All that glitters is not gold, as Plummer reported that the scammers routed an email through Facebook to a UK IP address, through O365, and to him with an appended verification checkmark. Subsequently, he reported the issue to Google, hoping to get it fixed so less eagle-eyed recipients would not be fooled by the trick. Sadly, though, Google reportedly closed the ticket calling it intended behavior.

Thankfully, after his initial tweet received more exposure, Google looked into the matter a little closer and reopened the bug report with a high priority and severity level.

Regardless of the bug or checkmark system, people should always be wary of all emails and senders. In this case, though the checkmark was there, the email address was not legit looking even though it had UPS in the shown email address, which could also be spoofed. Better to be safe than sorry, folks—don’t put all your trust in Google protecting you from scammers, as mistakes can and certainly do happen.