Home / News

Serious Gmail Flaw: Security Group Demonstrates Sending Unlimited Spam Using Google's Own Servers

  • May 12, 2008 8:51 AM PST
  • Comments: 0
  • Views: 3,939
Print Comment
External Source

Researchers at Information Security Research Team (INSERT) have dissevered a serious flaw in Google's Gmail service. The group demonstrates how anyone with no special Internet access privileges other than being able to connect to SMTP (TCP port 25) and HTTP (TCP port 80) servers is able to exploit a single Gmail account in order to be granted nearly unrestricted access to Google's massive whitelisted SMTP relay infrastructure.

From the Report:

As part of our recent work on the trust hierarchy that exists among email providers throughout the Internet, we have uncovered a serious security flaw in Google's free email service, Gmail. This vulnerability exposes Google's email servers in a way that allows an attacker to use them as open spam and phishing relays. This issue is related to the risk of a malicious user abusing Gmail's email forwarding functionality. This is possible because Gmail's email forwarding functionality does not impose proper security restrictions during its setup process and can be easily subverted. By exploiting this problem an attacker can send unlimited spam and phishing (i.e. forged) email messages that are delivered by Google's very own SMTP servers. Since the messages are delivered by Google's own servers, an attack based on this flaw is able to bypass all spam filters that are based on the blacklist / whitelist concept. We were able to confirm that this vulnerability is indeed exploitable by crafting a proof of concept attack that allowed us to send forged email messages unrestrictedly through Google's server infrastructure. We have also verified that this flaw allows attackers to bypass spam filters by using our method to send messages that are usually flagged as spam. While sending these messages directly from our network in the traditional way had the messages classified as spam, by sending the very same messages using our exploit, the messages were delivered directly to the victim's inbox, thus bypassing filters. All email providers that offer Google's SMTP servers any special level of trust (e.g. whitelist status) are vulnerable. We have contacted Google about this issue and are waiting for their position before releasing further details.

Read full story: External Source

Related topics: Email, Security, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:
Print Comment

Comments

To post comments, please login or create an account.

Related Blogs

World Notices That Verisign Said Three Months Ago That They Had a Security Breach Two Years Ago

  • Feb 02, 2012
  • Comments: 2

DMARC: New Email Authentication Protocol

  • Jan 31, 2012
  • Comments: 0

The State of Mail Database Marketing

  • Jan 28, 2012
  • Comments: 0

IP Address Reputation Primer

  • Jan 26, 2012
  • Comments: 7

Privacy Rules to Change in the EU, But What If …?

  • Jan 24, 2012
  • Comments: 0
View More

Related News

DNSChanger Trojan Still Running on Half of Fortune 500s, US Govt

  • Feb 02, 2012
  • Comments: 0

Public-Private Cooperation Policy for Cyber Security Suggested by Commissioner Kroes

  • Jan 31, 2012
  • Comments: 0

DDoS Attacks Increased by 2000% in Past 3 Years, Asia Generating Over Half of Recent Attacks

  • Jan 31, 2012
  • Comments: 0

NASA Website Blocked Due to DNSSEC Error

  • Jan 25, 2012
  • Comments: 0

Comcast Announces Completion of DNSSEC Deployment

  • Jan 10, 2012
  • Comments: 0
View More

Topics

Access ProvidersLaw
BroadbandMalware
CensorshipMobile
Cloud ComputingMultilinguism
CyberattackNet Neutrality
CybercrimeP2P
CybersquattingPolicy & Regulation
Data CenterPrivacy
DNSRegional Registries
DNSSECRegistry Services
Domain NamesSecurity
EmailSpam
EnumTelecom
ICANNTop-Level Domains
Internet GovernanceVoIP
Internet ProtocolWeb
IP AddressingWhite Space
IPTVWhois
IPv6Wireless
View More

Industry Updates – Sponsored Posts

MarkMonitor to Exhibit at Internet Tech Policy Exhibition and Reception to be Held on Capitol Hill

Verisign to Award New Infrastructure Research Grants

Nixu SNS 2.5 Series Gives Fresh Views on DNS

Neustar Names Joe Pasqua to Head Neustar Labs

Q3 2011 Fraud Intelligence Report

The Spookiest DDoS Attacks in History

Protecting Your Business from DDoS Attacks: Advice from Neustar

A Different Kettle of Phish

Introduction to Nixu Software: End-to-End Software-Based DNS, DHCP, IPAM Solutions for Your Network

MarkMonitor Fraud Intelligence Report Released for Q2 2011

Dyn Releases New Powerhouse in Enterprise Class Email Delivery

  • By Dyn
  • Views: 1,357

President Obama Names Neustar President and CEO Lisa Hook to NSTAC

Verisign's Matt Larson Wins 2011 InfoWorld Technology Leadership Award

Internet Adds 4.5 Million Domain Names in First Quarter of 2011

Businesses Lack Safeguards Against DDoS Attacks and DNS Failures, New Research Shows

Q1 2011 Fraud Intelligence Report

Neustar Launches SiteProtect for DDoS Protection

The Botnet-Counterfeit Drugs Connection

Verisign Enhances Its Managed DNS Service With Full Support for DNSSEC Compliance and Geo Location

Verisign Achieves Critical DNSSEC Milestone by Deploying Security Extensions in .com TLD

View More

Hot Topics

Afilias

DNSSEC

Sponsored by
Afilias
Verisign

Security

Sponsored by
Verisign
Neustar UltraDNS

DNS

Sponsored by
Neustar UltraDNS
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
dotMobi

Mobile

Sponsored by
dotMobi
View More