A major security bug made all Gmail and G Suite mailboxes vulnerable

On Wednesday, Google has patched a major security bug impacting the Gmail and G Suite email servers.

The security researcher Allison Husain discovered and reported Google about the serious flaw on April 1, 2020, and after 139 days and seven hours, to be precise, Google solved it, on August 19, 2020.

The truth is, Allison Husain kinda forced Google to patch the issue. On August 19, 2020, on her personal blog, Husain has published all the information a hacker needs to exploit this bug. And, just nine hours later, Google has fixed the deadly security bug.

Gmail bug: why it was serious

Husain discovered that a hacker could circumvent two of the most advanced email security standards used by Gmail and G Suite — namely the SPF (Sender Policy Framework) and the DMARC (Domain-based Message Authentication, Reporting, and Conformance), and send messages to anyone exploiting the identity of an unwitting Google email user.

By exploiting this security bug, hackers could also set the automatic redirection of all emails received on that mailbox to their own address, while also spoofing the identity of any Gmail or G Suite customer using a native Gmail/G Suite feature named “Change envelope recipient.”

Google Delayed to Patch the Bug

Two days after discovering the serious security bug, on April 3, Allison Husain reports it to Google, which replied on April 16, ranking it with priority 2 and severity 2. 

On August 1, the researcher realizes that the bug is still there, awaiting a solution, and writes to Google that she intends to make it public on September 17. Google replies on August 5, saying it is working on the solution, which will arrive before September 17. But on August 14, Google changes its mind and says that the patch will not arrive by that date.

At this point, the researcher loses her temper, and, at 8:00 am (Pacific coast time of the USA) on August 19, she posts all the details on her blog to exploit the flaw. At 3:13 pm on the same day, Google claims to have fixed the issue.

Bhasker Das
Bhasker Das
Bhasker Das, with a master's in Cybersecurity, is a seasoned editor focusing on online security, privacy, and protection. When not decrypting the complexities of the cyber world, Anu indulges in his passion for chess, seeing parallels in strategy and foresight.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More from this stream