hngopher.com

       [HN Gopher] Sending SPF and DMARC passing mail as any Gmail or G...
       ___________________________________________________________________
        
       Sending SPF and DMARC passing mail as any Gmail or G Suite customer
        
       Author : djsumdog
       Score  : 40 points
       Date   : 2020-08-20 21:24 UTC (1 hours ago)
        
 (HTM) web link (ezh.es)
 (TXT) w3m dump (ezh.es)
        
       | lucasjans wrote:
       | She reported this issue on April 3rd. Google marked it as a
       | duplicate on April 21st, meaning someone else had already
       | reported it.
       | 
       | After it was not fixed, she publicly disclosed the issue and
       | within 7 hours it was patched.
       | 
       | What broke in the process at Google? This issue allowed GSuite
       | users to impersonate each other to send email. That is very
       | serious.
        
       | ocdtrekkie wrote:
       | I actually noticed yesterday that apparently G Suite customers
       | can email Gmail accounts using domains with invalid SPF records
       | (set to hardfail if not from a different mail service). I thought
       | that was very odd. It seems that Google assumes G Suite's domain
       | validation process is adequate, and doesn't bother checking SPF
       | records for mail internal to Google's infrastructure. The flaw
       | reported in this article depends on this apparent decision.
       | 
       | Whilst this general choice may not be the gaping security hole it
       | feels like, because G Suite validates domain ownership, it does
       | lead to people setting up G Suite, configuring their MX records
       | (G Suite doesn't make SPF obvious to a new account, when I did it
       | a few months ago for someone), and then people may email back and
       | forth with a personal (likely Gmail) account to test it works.
       | 
       | Then, when they email someone with another mail server, they
       | blame us when their SPF record is configured to block G Suite.
        
       | regecks wrote:
       | You can do the same thing with Fastmail. Completely
       | indistinguishable from a legitimate email - all signatures look
       | exactly the same. Any user can impersonate any other user. Not
       | considered a vulnerability.
       | 
       | What's especially frustrating is that Fastmail have a special
       | opaque sender header that only they can interpret, and they put a
       | little "verified" icon on email that _actually_ comes from them.
       | So it 's an vulnerability if I impersonate _them_ , but not any
       | other Fastmail user. Sigh. I'm a happy FM user, apart from that.
       | But I'm going to keep bringing it up until they do something
       | about it. At least let me blacklist my domain from being used by
       | other accounts jfc.
        
       | mobilio wrote:
       | Seems that this is answer why today there was short outage of few
       | G services.
        
       ___________________________________________________________________
       (page generated 2020-08-20 23:00 UTC)