Google rolled out blue verified checkmark to Gmail accounts that acts as a safety standard, allowing users to differentiate between the genuine and phishing emails. Sadly, scammers have managed to surpass the security check, convincing Google that their account is real. Chris Plummer, a security architect at Dartmouth Health has discovered a bug in Gmail to dupe Google’s authoritative stamp of approval, ultimately making end users believe that the email address is genuine.
Google rolled out blue verified checkmark to Gmail accounts that acts as a safety standard, allowing users to differentiate between the genuine and phishing emails. Sadly, scammers have managed to surpass the security check, convincing Google that their account is real. Chris Plummer, a security architect at Dartmouth Health has discovered a bug in Gmail to dupe Google’s authoritative stamp of approval, ultimately making end users believe that the email address is genuine.
In a Twitter thread, Plummer writes “There is most certainly a bug in Gmail being exploited by scammers to pull this off, so I submitted a bug which @google lazily closed as ‘won’t fix – intended behavior’. How is a scammer impersonating @UPS in such a convincing way ‘intended’.”
In a Twitter thread, Plummer writes “There is most certainly a bug in Gmail being exploited by scammers to pull this off, so I submitted a bug which @google lazily closed as ‘won’t fix – intended behavior’. How is a scammer impersonating @UPS in such a convincing way ‘intended’.”
“The sender found a way to dupe @gmail’s authoritative stamp of approval, which end users are going to trust. This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit. Google just doesn’t want to deal with this report honestly,” he says.
“The sender found a way to dupe @gmail’s authoritative stamp of approval, which end users are going to trust. This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit. Google just doesn’t want to deal with this report honestly,” he says.
Now, Plummer reported his discovery to Google. The tech giant, initially, dismissed his discovery as ‘intended behaviour’. But as the tweet went viral, Google acknowledged the error and said:
Now, Plummer reported his discovery to Google. The tech giant, initially, dismissed his discovery as ‘intended behaviour’. But as the tweet went viral, Google acknowledged the error and said:
“After taking a closer look we realized that this indeed doesn’t seem like a generic SPF vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on. We apologize again for the confusion and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this! We’ll keep you posted with our assessment and the direction that this issue takes. Regards, Google Security Team”.