Google denies email injection flaw can bypass filters and pwn users

Israel-based cyber-threat specialists Cyberint insists it has found a serious flaw in Google security despite the tech giant's denials that email injection can bypass security filters.

Pwned?
Pwned?

In correspondence with SCMagazineUK.com, Google has refuted claims made by Cyberint that a malicious user could use the Apps admin console to bypass email security.

Elad Ben-Meir, VP marketing at Cyberint, told SC that his company had discovered a flaw which would allow an attacker to send emails that would bypass SPF and DKIM checks because they would genuinely come from apps-noreply@google.com.

However, Google refuted the claim, pointing out that spoofing isn't specific to Gmail and all incoming mail is subject to security scans regardless of where it's reputedly coming from.

Despite these denials, Ben-Meir insisted that attackers can use this method to send spam and phishing emails to any one of Google's 900 million Gmail users on behalf of Google Apps, “without the need of bypassing Google's anti-spam/Phishing controls”.

The reported attack is claimed to exploit a flaw in the email notification system within the Google apps admin console that allows a user to change the email's recipient, subject and body.

Cyberint complained that Google Security rejected the case when it submitted it for a bug bounty. In response to Cyberint's submission, Google Security wrote:

Hello,

We have notified the team about this issue; they will review your report and decide whether they want to make a change or not. Thanks for letting us know. Regarding our Vulnerability Reward Program, the panel decided this issue has very little or no security impact, and therefore we believe that it is not in scope for the program, so we won't be issuing a reward at this time.

Regards,
Google Security

Cyberint reports that it was surprised by Google's response. “A security weakness of this magnitude has serious implications for Google's growing corporate business,” the company said in a statement. “Should Google fail to fix the flaw quickly enough, it is leaving its users, particularly its new and growing business customer base, open to attack.”

The statement continued: “So far, however, Google doesn't appear to appreciate fully the potential reputational and financial damage it could soon suffer.”

Ben-Meir told SC that Cyberint conducts regular whitehat attacks against a range of internet service companies. It has discovered numerous flaws in other services, including Citrix.

Asked to rate this flaw compared to other flaws they have dealt with, Ben-Meir said he would give it an 8/10 or 9/10 because of its ability to bypass Gmail's security – “Gmail is usually very good with security,” he said – and because Cyberint also managed to automate the process.

A Google spokesperson told SC: “We appreciate researchers' efforts to help keep users safe. The purpose of -noreply@ is to send notifications and route replies to nowhere, by design. In Gmail's case, our spam filters process -noreply@ messages normally, and route emails classified as spam or phishing appropriately. Gmail does not grant special ‘whitelisting' privileges to messages from ‘no-reply@' addresses, and our spam filters routinely block malicious messages if they fit this pattern.”

Security researchers we spoke to described the flaw as an “embarrassing architectural flaw for Google” but rated it as a very low security risk.