fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Google Fixes Major Gmail Bug Seven Hours After Exploit Details Go Public

Google Fixes Major Gmail Bug Seven Hours After Exploit Details Go Public

Attackers could have sent spoofed emails mimicking any Gmail or G Suite customer.

how-to-back-up-gmail-the-ultimate-guide-5e3ad1bb12c3680001857ad8-1-feb-10-2020-21-08-11-poster.jpg

Google has patched on Wednesday a major security bug impacting the Gmail and G Suite email servers.

The bug could have allowed a threat actor to send spoofed emails mimicking any Gmail or G Suite customer.

According to security researcher Allison Husain, who found and reported this issue to Google in April, the bug also allowed attachers to pass the spoofed emails as compliant with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), two of the most advanced email security standards.

GOOGLE DELAYED PATCHES, DESPITE A FOUR MONTHS HEADS-UP

However, despite having 137 days to fix the reported issue, Google initially delayed patches past the disclosure deadline, planning to fix the bug somewhere in September.

Google engineers changed their mind yesterday after Husain published details about the bug on her blog, including proof-of-concept exploit code.

Seven hours after the blog post went live, Google told Husain they deployed mitigations to block any attacks leveraging the reported issue, while they wait for final patches to deploy in September.

In hindsight, yesterday’s bug patching snafu is a common occurrence in the tech industry, where many companies and their security teams don’t always fully understand the severity and repercussions of not patching a vulnerability until details about that bug become public, and they stand to be exploited.

HOW THE GMAIL (G SUITE) BUG WORKED

As for the bug itself, the issue is actually a combination of two factors, as Husain explains in her blog post.

The first is a bug that lets an attacker send spoofed emails to an email gateway on the Gmail and G Suite backend.

The attacker can run/rent a malicious email server on the Gmail and G Suite backend, allow this email through, and then use the second bug.

This second bug allows the attacker to set up custom email routing rules that take an incoming email and forward it, while also spoofing the identity of any Gmail or G Suite customer using a native Gmail/G Suite feature named “Change envelope recipient.”

Also read: 12 brief explanation about the benefits of data protection for business success

The benefit of using this feature for forwarding emails is that Gmail/G Suite also validates the spoofed forwarded email against SPF and DMARC security standards, helping attackers authenticate the spoofed message. See Husain’s graph below for a breakdown of how the two bugs can be combined.

gmail-bug.png
Image: Allison Husain

“Additionally, since the message is originating from Google’s backend, it is also likely that the message will have a lower spam score and so should be filtered less often,” Husain said, while also pointing out that the two bugs are unique to Google only.

If the bug had been left unpatched, ZDNet has no doubt that the exploit would have most likely been widely adopted by email spam groups, BEC scammers, and malware distributors.

Google’s mitigations have been deployed server-side, which means Gmail and G Suite customers don’t need to do anything.

timeline.png

Also read: Privacy policy template important tips for your business

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us