A critical vulnerability affecting Google Apps for Work allows attackers to send phishing emails. The vulnerability in Google Apps for Work could be exploited to send emails by abusing any website’s domain name and run phishing campaign on the victim’s behalf.
Google Apps for Work is a suite of collaborative productivity apps that was designed to offer businesses a collection of professional tools, including email, shared calendars, online document editing and storage, video meetings, and much more.
Every user that has a corporate email address, that appears like email@example.com instead of firstname.lastname@example.org, can register an account with Google Apps for Work. To get a custom domain name based email service from Google, the user just needs to sign up like a normal Gmail account. Once created, the user can access his domain’s admin console panel on Google app interface, but he cannot be able to use any service until he will complete domain verification process adopted by Google.
The cyber security researchers Patrik Fehrenbach and Behrouz Sadeghipour discovered that an attacker can register any unused (not previously registered with Google apps service) domain, example: mynewco.com with Google apps for Work to open the ‘email@example.com‘ account.
“Last month, we were able to report a vulnerability to Google where we were able to email from any domain that has not been claimed by its owner previously. For example, using google itself as a victim, we were able to claim domains such as ytimg.com and gstatic.com.” states a blog post from published by the researchers.
The account could be used only after that Google has verified the domain though the “Verify domain ownership” process:
“Before your organization can use Google services like Gmail with your company’s domain, you’ll need to verify that you own it. This ensures that no one else can use services or send email that appears to come from your company.” states Google
The two researchers explained to the The Hacker News that there is a page on Google apps that allows domain administrator to send ‘Sign in Instructions’ to the company users i.e. firstname.lastname@example.org (must be created from panel before proceeding) by simply accessing following URL:
By using the online email editor, an attacker could send any kind of phishing email containing malicious links to the target users. The technique could be effective to steal sensitive information including web service credentials.
In the example provided by the colleagues at TheHackerNews, before the vulnerability was fixed, the researchers obtained email@example.com and sent an email to the victim, reporting the following subject:
Welcome to Twitter, which can convince users into submitting their Twitter credentials to the given phishing pages.
After the duo reported the flaw in Google Apps for Work to Google, the company immediately patched it, anyway the experts explained that the fix is just partial. According to the two researchers, in fact, the attacker is still able to access ‘Send Sign in Instructions’ for unverified domains, but this time via firstname.lastname@example.org, instead of the custom email address.
“However you can still claim any domain and have access to the admin console through out the “validation process” and that is by design.” continues the post.
This means that victims will receive email from apps-noreply, but evidently the measure is not satisfactory.
“Google believes that showing the sender as apps-noreply is good enough.” Behrouz told The Hacker News,
It’s clear that by abusing of this Google Apps vulnerability, phishers could send phishing emails avoiding Google detection because the mail is sent by the servers of the company.
(Security Affairs – Google Apps vulnerability, Google Apps for Work)