Hackers can hijack a website's domain name based email addresses, including using them to send targeted phishing emails thanks to a critical vulnerability discovered in Google Apps for Work.
Cyber-security researchers Patrik Fehrenbach and Behrouz Sadeghipour reported in their blog: “We were able to email from any domain that has not been claimed by its owner previously. For example, using Google itself as a victim, we were able to claim domains such as ytimg.com and gstatic.com.”
Google Apps for Work is intended to provide users with collaborative services including Gmail, Drive storage, Calendar, online documents, and video Hangouts. A customised email based on a users' domain can be created to replace the gmail.com address, simply by signing up like a normal Gmail account. Once it is verified by Google, they make the change via the domain's admin console panel on the Google app interface, with an attacker able to register any domain not previously registered with Google apps service
This was possible because the researchers located a page on Google apps that allows domain admin to send 'Sign in Instructions' to the organisation users eg email@example.com by accessing the following URL directly on the browser.
The researchers obtained firstname.lastname@example.org and sent an email with the subject: Welcome to Twitter, to get their Twitter credentials.
Google has responded with a partial patch which still allows an attacker to access ‘Send Sign in Instructions' for unverified domains, but now via email@example.com, rather than the custom email address.
Behrouz told online publication The Hacker News (THN) that "Google believes that showing the sender as apps-noreply is good enough.", but as THN noted, this wouldn't stop hackers from targeting victims. Google stated: “Before your organisation can use Google services like Gmail with your company's domain, you'll need to verify that you own it. This ensures that no one else can use services or send email that appears to come from your company.”