The feature, Gmail checkmark system was introduced to assist users distinguish between certified businesses and organizations and legitimate emails from potential scammers. This is made possible through a blue checkmark, included in the function.
However, threat actors were able to take advantage of this feature, raising questions about the general security of Gmail.
Chris Plummer, a cybersecurity expert, found that cybercriminals could deceive Gmail into thinking their bogus businesses were real. This way, they shattered the trust Gmail users were supposed to have in the checkmark system.
"The sender found a way to dupe @gmail's authoritative stamp of approval, which end users are going to trust. This message went from a Facebook account to a UK netblock, to O365, to me. Nothing about this is legit," says Plummer.
Prior to these findings, Google dismissed the claims, calling this to be “intended behavior.” But after the issue gained a significant response following Plummer’s tweet related to the flaw, Google finally acknowledged the error.
Later, Google admitted its mistake and conducted a proper investigation into the matter. The flaw’s security was acknowledged, with Google labeling it as a ‘P1’ fix, which indicates it to be in the topmost priority status.
"After taking a closer look we realized that this indeed doesn't seem like a generic SPF vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on […] We apologize again for the confusion and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this! We'll keep you posted with our assessment and the direction that this issue takes," Google said in a statement.
Google’s warning serves as a caution to online users that security features too are vulnerable to flaws, regardless of how much advancement they may attain. Thus it is important to have a vigilant outlook on the ‘safety’ features. Users must also be careful when involving themselves with email communication.
Microsoft Office 365 will now let users view their phishing messages that are automatically screened by Exchange Online Protection (EOP) filter.