Google tightens Gmail spoof security hole

News by Tom Espiner

Google has tightened up Gmail security after a researcher successfully spoofed emails to Google founders Sergey Brin and Larry Page.

Google has tightened up Gmail security after a researcher successfully spoofed emails to Google founders Sergey Brin and Larry Page.

Mathematician Zachary Harris used a flaw in Google's implementation of the DomainKeys Identified Mail (DKIM) standard to send emails to Brin and Page which were purportedly from each other, technology publication Wired said on Tuesday.

DKIM is a security standard that is designed to mitigate phishing and other spoofing attacks by cryptographically associating a domain name with an email message.

Google had used a weak 512-bit key to sign emails from a legitimate corporate domain, rather than the recommended key length of 1,024 bits proposed in RFC 6376.

Harris cracked the Google key using Amazon Web Services cloud computing at a cost of $75. Google is now using stronger DKIM keys, a Google spokeswoman told Wired.

A number of organisations are still using weak DKIM keys, leaving themselves open to phishing attack, US-Cert warned in an advisory on Tuesday.

Organisations should revoke and replace DKIM keys that are less than 1,024 bits, said US-Cert.

Google had not responded to a request for comment at the time of writing.

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events