A vulnerability in Google Admin that could have allowed domains to be claimed for the sending of spoofed emails has been patched by the company, reports The Register.
Security researchers Patrik Fehrenbach and Behrouz Sadeghipour discovered a weakness within the Google Admin console, the hub where administrators manage their organization's Google Apps account. They found that by exploiting the weakness, they were able to temporarily gain ownership of any domain that wasn't claimed.
According to Security Week, the pair put this to the test by borrowing domains owned by Google - ytimg.com (which hosts YouTube images and scripts) and gstatic.com, which loads data from its content delivery network.
By taking advantage of the exploit, the duo successfully sent out emails that appeared to come from admin@gstatic.com and admin@ytimg.com. If this attack had been replicated in the real world, an attacker would have been able to send spoofed email thats would escape digital scrutiny as they appeared to originate from trusted servers.
"Not only we are claiming other domains, we were successfully able to trick the Google Mail Server into accepting a wrong FROM parameter," the researchers explained.
If unpatched, this vulnerability could have been used for extremely effective phishing attacks, with cybercriminals potentially spoofing the domains of banks, without servers flashing up warnings of a suspicious seeming email.
Fortunately, the exploit has now been fixed, after the researchers reported the issue to Google. The received email address has changed from admin to no-reply@google.com, and the researchers were awarded $500 for their troubles.