Gmail Security Compromised: Verified Checkmark System Under Attack

Gmail’s newly introduced security measure, the verified checkmark system for emails, has already been exploited by scammers to deceive users. The system was launched with the intent of identifying verified companies and organisations with a blue checkmark, providing a seal of authenticity to help users distinguish legitimate emails from potential scams. However, the system which was designed to safeguard users, is now ironically being used as a tool against them.

Chris Plummer, a cyber security engineer, was the first to spot this exploitation. In an alarming discovery, Plummer noticed that scammers had managed to trick the system into accepting their fake brands as legitimate, effectively turning the trust-inducing checkmark into a weapon against unsuspecting Gmail users. “The sender found a way to dupe @gmail’s authoritative stamp of approval, which end users are going to trust,” Plummer explained. This unwarranted approval led to an email routed from a Facebook account, through a UK netblock, to an Office 365 account, and then to him, passing as a verified email when it was anything but​.

Plummer immediately reported this glaring security flaw to Google and this report was initially dismissed as “intended behaviour”. However, his subsequent tweets highlighting the issue quickly went viral, forcing Google to acknowledge the error. In a statement to Plummer, Google admitted, “After taking a closer look we realised that this indeed doesn’t seem like a generic SPF (Sender Policy Framework) vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on.” Google expressed regret for the initial confusion and appreciated Plummer’s persistence in raising the issue. The company has now listed the flaw as a ‘P1’ or Top Priority fix, which is currently in progress​.

While Google works on a fix, Gmail users are advised to exercise caution. The Gmail checkmark verification system, in its current state, remains compromised, and hackers and spammers are able to use it to trick users into believing fraudulent emails are genuine. 1.8 Billion Gmail users can thank Plummer, not just for his discovery, but also for his relentless efforts to make Google acknowledge the problem. Despite the verification system’s current vulnerability, Gmail’s security remains a top priority, and users are urged to stay vigilant in these uncertain times.

At One2Call can protect your emails with Active Email Threat Protection, this service can monitor for the legitimacy of email sources, monitor the links within email to confirm their legitimacy and also look for unusual or suspicious behaviour/sentiment within emails that could potentially be harmful to your business. If you would like to find out more about Active Email Threat Protection, click the link below, or download our Free Cyber Security Self Assessment form where we can work with your business to ensure that you have the best Cyber Security policies and practices in place to protect your business against evolving cyber threats.

Latest News Stories