Skip to content

Google OAuth flaw exploited to bypass Gmail security filters

  • by
  • 2 min read

An advanced phishing attack that abuses vulnerabilities in Google’s OAuth system to bypass Gmail security filters was identified. The attack technique appears genuine to users as Google’s domains deliver the fake email and passes all security checks, including DomainKeys Identified Mail (DKIM) authentication.

The fake email redirects users to a fraudulent website that collects login information by posing as a legitimate ‘support portal’, prompting the entry of Google account credentials. Despite the email being sent by a threat actor, the sender was listed as “no-reply@accounts.google.com.”

The lead developer of Ethereum Name Service, Nick Johnson, reported receiving an alert that appeared to be sent by Google requesting his Google account information. Johnson, in a post on X, said, “It exploits a vulnerability in Google’s infrastructure, and given their refusal to fix it, we’re likely to see it a lot more.” The credibility of the message was further increased by a link leading to a seemingly genuine Google support page hosted on sites.google.com. However, Johnson noticed that Google’s free web-building platform (sites.google.com) was utilised instead of accounts.google.com for verification, raising suspicion.

The phishing message stated that a subpoena had been issued by a law enforcement agency against Google LLC, including a case reference number that could be mistaken for an official one. The attack technique, referred to as a DKIM replay attack by cybersecurity experts, manipulates the DKIM authentication system and leverages OAuth authorisation processes. Details of the fake email revealed that the mailed-by field had a different address than Google’s ‘no-reply’ and the receiver is a “me@” address followed by a domain name that appears to be managed by Google.

Google confirmed being aware of the phishing campaign and said that steps are being taken to mitigate the threat, with a specific solution to be fully deployed in the near future. Johnson said, “Google has reconsidered and will be fixing the OAuth bug!”

Cybersecurity experts have suggested enabling two-factor authentication, using passkeys whenever possible and staying alert to emails requesting account credentials for verification or logging in, irrespective of their source. The exploit showcases an advancement in phishing techniques, diverging from traditional credential collection to abusing sophisticated authorisation protocols.

In the News: Legends International suffers data breach affecting employees and venue visitors

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

Related Reads

This is an image of spyware on pc

Russian hosting provider abused for malware delivery

What is a hack? 9 different types of hackers you must know about

Kimsuky-linked APT campaign exploits RDP and MS Office flaws

This is an image of instagram featured

Meta expands AI-powered age verification on Instagram

This is an image of data breach featured

Legends International suffers data breach affecting employees and venue visitors

This is an image of cyber security hacked breach

Freshly discovered Windows vulnerability already exploited in the wild

This is an image of court featured ss1

Indian consumer courts to accept complaints against WhatsApp

  • by
  • In News
>