White-listed phish slip through Google Apps
Patch kills admin from sent addresses
Security probers Patrik Fehrenbach and Behrouz Sadeghipour have found a (since-patched) flaw in Google Apps that allowed criminals to register corporate domains and send white-listed phishing emails from admin addresses.
The Choc Factory patched the flaw and handed the duo US$500 by way of thanks.
the flaw meant attackers could register the name of a company that had not signed up to Google Apps for Work, then send phishing emails to staff that appear to come from a legitimate corporate domain. The ruse meant those poisoned messages did not trip spam filters.
To find and test the flaw, Fehrenbach and Sadeghipour sent emails from admin accounts from Choc Factory content sites ytimg and gstatic which were not flagged as suspicious. that effort showed that "... if you claim the domain via the admin console, you can see that there were no warnings given to the user, and if the user checks the mail headers the server is a trusted server," the pair wrote in an advisory.
"So not only we are claiming other domains, we were successfully able to trick the Google Mail Server into accepting a wrong FROM parameter."
The attack relied on a normal claim form which allows users temporary access to a new domain from where the phishing emails could be sent.
Those emails are permitted to issue sign-up instructions but also allow the inclusion of malicious phishing links, the pair found.
Google patched the vulnerability by changing the received email address from admin to firstname.lastname@example.org. ®