Post by jabom on Dec 30, 2023 7:26:02 GMT
Update Understanding the Scope of the Issue Recent developments investigating Gmail’s logo verification system have shed light on how scammers exploit it and its implications for other email services. Jonathan Rudenberg, a debugger in Gmail’s security team, has successfully replicated the hack on Gmail and highlighted that other major email services are also vulnerable to similar attacks.
This revelation has raised concerns within Job Function Email List the security community about the vulnerability and poor implementation of the Gmail verification method. Rudenberg discovered that Gmail’s Brand Indicators for Message Identification BIMI implementation only requires Sender Policy Framework SPF to match, while the DomainKeys Identified Mail DKIM signature can be from any domain. This misconfiguration allows any shared or misconfigured mail server in a BIMI-enabled domain’s SPF records to become a vector for sending spoofed messages with the full BIMI treatment in Gmail.
Further investigations into BIMI implementations on other major email services have revealed the following: iCloud properly checks that DKIM matches the From domain. BIMI treatment to bulk sends with a high reputation. Fastmail is vulnerable but supports Gravatar and uses the same treatment for both, minimizing the impact. Apple Mail + Fastmail is vulnerable to dangerous treatment. These findings highlight the need for enhanced security measures across multiple email services to prevent scammers from exploiting vulnerabilities. Update: Google’s Response and Immediate.
This revelation has raised concerns within Job Function Email List the security community about the vulnerability and poor implementation of the Gmail verification method. Rudenberg discovered that Gmail’s Brand Indicators for Message Identification BIMI implementation only requires Sender Policy Framework SPF to match, while the DomainKeys Identified Mail DKIM signature can be from any domain. This misconfiguration allows any shared or misconfigured mail server in a BIMI-enabled domain’s SPF records to become a vector for sending spoofed messages with the full BIMI treatment in Gmail.
Further investigations into BIMI implementations on other major email services have revealed the following: iCloud properly checks that DKIM matches the From domain. BIMI treatment to bulk sends with a high reputation. Fastmail is vulnerable but supports Gravatar and uses the same treatment for both, minimizing the impact. Apple Mail + Fastmail is vulnerable to dangerous treatment. These findings highlight the need for enhanced security measures across multiple email services to prevent scammers from exploiting vulnerabilities. Update: Google’s Response and Immediate.