The security of Gmail has long been a major selling point, but now hackers are exploiting one of its most important new security features to deceive users.
Introduced last month, the Gmail checkmark system is designed to highlight verified companies and organizations with a blue checkmark, helping users identify legitimate emails and avoid scams. However, scammers have found a way to manipulate the system.
Cybersecurity engineer Chris Plummer discovered that scammers are tricking Gmail into recognizing their fake brands as legitimate, undermining the intended purpose of the checkmark system and deceiving Gmail users.
Plummer explains, “The sender found a way to dupe @gmail’s authoritative stamp of approval, which end users are going to trust. This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit.”
Initially, Google dismissed Plummer’s discovery as “intended behavior,” but after his tweets gained viral attention, the company acknowledged the error. In a statement to Plummer, Google wrote:
“After taking a closer look, we realized that this indeed doesn’t seem like a generic SPF vulnerability. Thus we are reopening this, and the appropriate team is taking a closer look at what is going on. We apologize again for the confusion, and we understand our initial response might have been frustrating. Thank you so much for pressing on for us to take a closer look at this! We’ll keep you posted with our assessment and the direction that this issue takes. Regards, Google Security Team.”
Google has now categorized the flaw as a top-priority fix and is currently working on it.
Credit goes to Plummer for his discovery and his persistence in making Google address the issue. However, until Google implements a fix, the Gmail checkmark verification system remains compromised, allowing hackers and spammers to exploit it for deceptive purposes. Remain vigilant.
06/05 Update: Security researchers are gaining insights into how Gmail’s checkmark verification system is being manipulated and how it applies to other email services. Jonathan Rudenberg, a debugger, demonstrated the hack on Gmail and explained in a blog post:
“Gmail’s BIMI implementation only requires SPF to match; the DKIM signature can be from any domain. This means that any shared or misconfigured mail server in a BIMI-enabled domain’s SPF records can be a vector for sending spoofed messages with the full BIMI ✅ treatment in Gmail…
BIMI is worse than the status quo, as it enables super-powered phishing based on a single misconfiguration in the extremely complicated and fragile stack that is email.”
Rudenberg also assessed BIMI implementations on other major email services:
- iCloud: Properly checks that DKIM matches the From domain.
- Yahoo: Only attaches BIMI treatment to bulk sends with high reputation.
- Fastmail: Vulnerable but also supports Gravatar and uses the same treatment for both, minimizing the impact.
- Apple Mail + Fastmail: Vulnerable with a dangerous treatment.
This means Apple Mail and Fastmail users should also remain cautious, although they do not utilize the same verified checkmark system as Gmail. The security community has responded critically to this vulnerability, questioning how it occurred and highlighting the poor implementation of Gmail’s verification method. Google needs to address this issue urgently.