On Wednesday, Google has patched a major security bug impacting the Gmail and G Suite email servers.
The security researcher Allison Husain discovered and reported Google about the serious flaw on April 1, 2020, and after 139 days and seven hours, to be precise, Google solved it, on August 19, 2020.
The truth is, Allison Husain kinda forced Google to patch the issue. On August 19, 2020, on her personal blog, Husain has published all the information a hacker needs to exploit this bug. And, just nine hours later, Google has fixed the deadly security bug.
Gmail bug: why it was serious
Husain discovered that a hacker could circumvent two of the most advanced email security standards used by Gmail and G Suite — namely the SPF (Sender Policy Framework) and the DMARC (Domain-based Message Authentication, Reporting, and Conformance), and send messages to anyone exploiting the identity of an unwitting Google email user.
By exploiting this security bug, hackers could also set the automatic redirection of all emails received on that mailbox to their own address, while also spoofing the identity of any Gmail or G Suite customer using a native Gmail/G Suite feature named “Change envelope recipient.”
Google Delayed to Patch the Bug
Two days after discovering the serious security bug, on April 3, Allison Husain reports it to Google, which replied on April 16, ranking it with priority 2 and severity 2.
On August 1, the researcher realizes that the bug is still there, awaiting a solution, and writes to Google that she intends to make it public on September 17. Google replies on August 5, saying it is working on the solution, which will arrive before September 17. But on August 14, Google changes its mind and says that the patch will not arrive by that date.
At this point, the researcher loses her temper, and, at 8:00 am (Pacific coast time of the USA) on August 19, she posts all the details on her blog to exploit the flaw. At 3:13 pm on the same day, Google claims to have fixed the issue.