Connect with us

Hi, what are you looking for?



Email Spoofing Flaw Found in Google Admin Console

Researchers have identified a security issue in the Google Apps Admin console that could have been exploited to claim any domain and use it to send out spoofed emails.

Researchers have identified a security issue in the Google Apps Admin console that could have been exploited to claim any domain and use it to send out spoofed emails.

Patrik Fehrenbach and Behrouz Sadeghipour said they noticed last month that they could use the Google Admin console, which allows administrators to manage their organization’s Google Apps account, to gain temporary ownership of any domain that wasn’t previously claimed.

The experts conducted some tests by claiming two domains owned by Google itself. The targeted domains were, which is used to host Youtube images and scripts, and, which is used by Google for loading content from its content delivery network (CDN).

The researchers then used these domains to send out emails that appeared to come from “[email protected]” and “[email protected]” An attacker could have exploited the vulnerability to send out malicious emails that would not be flagged as suspicious because they came from trusted servers.

“So not only we are claiming other domains, we were successfully able to trick the Google Mail Server into accepting a wrong FROM parameter,” the researchers explained in a blog post.

Fehrenbach and Sadeghipour said they could even claim domains belonging to major banks and use them to send out emails. This could have been highly effective for phishing attacks because the emails looked like they had been sent from a legitimate bank email address, and Gmail would not warn recipients that the messages might be coming from a spoofed address.

Google has addressed the vulnerability and awarded the experts $500 for their effort.

Advertisement. Scroll to continue reading.

When Google customers claim a domain, they are required to prove its ownership by adding a TXT or CNAME record to the domain’s DNS settings, by uploading an HTML file to the domain’s Web server, or by adding a <meta> tag to the website’s home page.

Now, according to the researchers, access is still given to any domain roughly 15-20 minutes after the request has been submitted. However, access is granted only throughout the domain ownership verification process, which lasts roughly one hour, and all emails sent from domains that have not been verified appear to come from the email address “[email protected]

Other researchers have identified even more serious vulnerabilities in the Google Apps Admin console. In January, an expert reported getting $5,000 from Google after discovering a critical cross-site scripting (XSS) vulnerability in the administration console.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.