The security of Gmail has always been one of its biggest selling points, but now one of its most important new security features is actively being used by hackers to scam users
Introduced last month, the Gmail checkmark system highlights verified companies and organizations to users with a blue checkmark. The idea is to help users discern which emails are legitimate and which may have been sent by impersonators running scams. Unfortunately, scammers have tricked the system.
Spotted by cybersecurity engineer Chris Plummer, scammers have found a way to convince Gmail that their fake brands are legitimate. Thereby using the confidence the checkmark system is supposed to instill against Gmail users.
“The sender found a way to dupe @gmail ’s authoritative stamp of approval, which end users are going to trust,” explains Plummer. “This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit.”
Plummer reports that Google initially dismissed his discovery as “intended behaviour” before his tweets about it went viral, and the company acknowledged the error. In a statement to Plummer, Google wrote:
“After taking a closer look we realized that this indeed doesn’t seem like a generic SPF vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on.
We apologize again for the confusion and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this!
We’ll keep you posted with our assessment and the direction that this issue takes.
Regards, Google Security Team”
Plummer highlights that Google has now listed the flaw as a ‘P1’ (top priority) fix, which is currently “in progress.”
Immense credit goes to Plummer, not just for his discovery, but for the lengths he went to to make Google acknowledge the problem. That said, until Google has a fix, the Gmail checkmark verification system remains broken and is being used by hackers and spammers to trick you with the exact thing it was meant to combat. Stay vigilant.
Follow Gordon on Facebook
More On Forbes