Researchers have identified a security issue in the Google Apps Admin console that could have been exploited to claim any domain and use it to send out spoofed emails.
Patrik Fehrenbach and Behrouz Sadeghipour said they noticed last month that they could use the Google Admin console, which allows administrators to manage their organization’s Google Apps account, to gain temporary ownership of any domain that wasn’t previously claimed.
The experts conducted some tests by claiming two domains owned by Google itself. The targeted domains were ytimg.com, which is used to host Youtube images and scripts, and gstatic.com, which is used by Google for loading content from its content delivery network (CDN).
The researchers then used these domains to send out emails that appeared to come from "firstname.lastname@example.org" and "email@example.com." An attacker could have exploited the vulnerability to send out malicious emails that would not be flagged as suspicious because they came from trusted servers.
“So not only we are claiming other domains, we were successfully able to trick the Google Mail Server into accepting a wrong FROM parameter,” the researchers explained in a blog post.
Fehrenbach and Sadeghipour said they could even claim domains belonging to major banks and use them to send out emails. This could have been highly effective for phishing attacks because the emails looked like they had been sent from a legitimate bank email address, and Gmail would not warn recipients that the messages might be coming from a spoofed address.
Google has addressed the vulnerability and awarded the experts $500 for their effort.
When Google customers claim a domain, they are required to prove its ownership by adding a TXT or CNAME record to the domain’s DNS settings, by uploading an HTML file to the domain’s Web server, or by adding a <meta> tag to the website’s home page.
Now, according to the researchers, access is still given to any domain roughly 15-20 minutes after the request has been submitted. However, access is granted only throughout the domain ownership verification process, which lasts roughly one hour, and all emails sent from domains that have not been verified appear to come from the email address “firstname.lastname@example.org.”
Other researchers have identified even more serious vulnerabilities in the Google Apps Admin console. In January, an expert reported getting $5,000 from Google after discovering a critical cross-site scripting (XSS) vulnerability in the administration console.