[HN Gopher] Sending SPF and DMARC passing mail as any Gmail or G... ___________________________________________________________________ Sending SPF and DMARC passing mail as any Gmail or G Suite customer Author : djsumdog Score : 40 points Date : 2020-08-20 21:24 UTC (1 hours ago) (HTM) web link (ezh.es) (TXT) w3m dump (ezh.es) | lucasjans wrote: | She reported this issue on April 3rd. Google marked it as a | duplicate on April 21st, meaning someone else had already | reported it. | | After it was not fixed, she publicly disclosed the issue and | within 7 hours it was patched. | | What broke in the process at Google? This issue allowed GSuite | users to impersonate each other to send email. That is very | serious. | ocdtrekkie wrote: | I actually noticed yesterday that apparently G Suite customers | can email Gmail accounts using domains with invalid SPF records | (set to hardfail if not from a different mail service). I thought | that was very odd. It seems that Google assumes G Suite's domain | validation process is adequate, and doesn't bother checking SPF | records for mail internal to Google's infrastructure. The flaw | reported in this article depends on this apparent decision. | | Whilst this general choice may not be the gaping security hole it | feels like, because G Suite validates domain ownership, it does | lead to people setting up G Suite, configuring their MX records | (G Suite doesn't make SPF obvious to a new account, when I did it | a few months ago for someone), and then people may email back and | forth with a personal (likely Gmail) account to test it works. | | Then, when they email someone with another mail server, they | blame us when their SPF record is configured to block G Suite. | regecks wrote: | You can do the same thing with Fastmail. Completely | indistinguishable from a legitimate email - all signatures look | exactly the same. Any user can impersonate any other user. Not | considered a vulnerability. | | What's especially frustrating is that Fastmail have a special | opaque sender header that only they can interpret, and they put a | little "verified" icon on email that _actually_ comes from them. | So it 's an vulnerability if I impersonate _them_ , but not any | other Fastmail user. Sigh. I'm a happy FM user, apart from that. | But I'm going to keep bringing it up until they do something | about it. At least let me blacklist my domain from being used by | other accounts jfc. | mobilio wrote: | Seems that this is answer why today there was short outage of few | G services. ___________________________________________________________________ (page generated 2020-08-20 23:00 UTC)