Gmail Security Compromised: Verified Checkmark System Under Attack
Gmail’s newly introduced security measure, the verified checkmark system for emails, has already been exploited by scammers to deceive users. The system was launched with the intent of identifying verified companies and organisations with a blue checkmark, providing a seal of authenticity to help users distinguish legitimate emails from potential scams. However, the system which was designed to safeguard users, is now ironically being used as a tool against them.
Chris Plummer, a cyber security engineer, was the first to spot this exploitation. In an alarming discovery, Plummer noticed that scammers had managed to trick the system into accepting their fake brands as legitimate, effectively turning the trust-inducing checkmark into a weapon against unsuspecting Gmail users. “The sender found a way to dupe @gmail’s authoritative stamp of approval, which end users are going to trust,” Plummer explained. This unwarranted approval led to an email routed from a Facebook account, through a UK netblock, to an Office 365 account, and then to him, passing as a verified email when it was anything but.
Plummer immediately reported this glaring security flaw to Google and this report was initially dismissed as “intended behaviour”. However, his subsequent tweets highlighting the issue quickly went viral, forcing Google to acknowledge the error. In a statement to Plummer, Google admitted, “After taking a closer look we realised that this indeed doesn’t seem like a generic SPF (Sender Policy Framework) vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on.” Google expressed regret for the initial confusion and appreciated Plummer’s persistence in raising the issue. The company has now listed the flaw as a ‘P1’ or Top Priority fix, which is currently in progress.
While Google works on a fix, Gmail users are advised to exercise caution. The Gmail checkmark verification system, in its current state, remains compromised, and hackers and spammers are able to use it to trick users into believing fraudulent emails are genuine. 1.8 Billion Gmail users can thank Plummer, not just for his discovery, but also for his relentless efforts to make Google acknowledge the problem. Despite the verification system’s current vulnerability, Gmail’s security remains a top priority, and users are urged to stay vigilant in these uncertain times.
At One2Call can protect your emails with Active Email Threat Protection, this service can monitor for the legitimacy of email sources, monitor the links within email to confirm their legitimacy and also look for unusual or suspicious behaviour/sentiment within emails that could potentially be harmful to your business. If you would like to find out more about Active Email Threat Protection, click the link below, or download our Free Cyber Security Self Assessment form where we can work with your business to ensure that you have the best Cyber Security policies and practices in place to protect your business against evolving cyber threats.
Latest News Stories
Is your business ready for the ISDN/PSTN Switch Off?
In 2025, the older ISDN and PSTN systems will be switched off, leaving businesses that are still using these older systems at that time without a functioning service. This means that now is the time to start thinking about updating your business phone system to a more...
Protecting your Business from Cyber Attack
Cyber attacks are a constant threat to modern businesses, but how well your business handles them depends on the solutions you have in place to protect yourself. Ignoring cybersecurity can have serious consequences, such as losing private information and breaching...
A notice regarding One2Call service pricing
This communication aims to provide you with as much notice as possible of anticipated AND in place supplier-led market price increases. We have been closely monitoring the sector and our suppliers, who have indicated that due to the adverse inflationary effects on...
Our Customers
Testimonials
James, Proove Restaurant
Very helpful, did exactly what I needed.
Mick, Utility 360
They’re always so helpful and nothing is ever too much trouble!
Sarah Wroe, Commercial Property Partners
Stayed late on a Friday evening to fix my computer. Thank you