0

A report entitled "Exploiting the Trust Hierarchy among Email Servers" published by Pablo Ximenes from the University of PR at Mayaguez, USA and Andre dos Santos at the State University of Ceara, Brazil suggests that Google Mail is flawed in such a way so as to turn it into massive spam machine.

The report says that the researchers have uncovered a flaw in Google's free email service, Gmail, and that it "presents a vulnerability report and a proof of concept attack that demonstrate how anyone with no special internet access privileges other than being able to connect to SMTP (TCP port 25) and HTTP (TCP port 80) servers is able to exploit a single Gmail Account in order to be granted nearly unrestricted access to Google’s massive white-listed SMTP relay infrastructure."

If true, this vulnerability would enable an attacker to bypass both blacklist and whitelist filtering as well as easily forge all the fields within a message, in effect tricking the Google SMTP servers into functioning as an open relay.

Ximenes and dos Santos say "we were able to confirm that this vulnerability is indeed exploitable by assembling a proof of concept (PoC) attack that allowed us to use one single Gmail account to send bulk messages to more than 4,000 email targets (which surpasses Gmail’s 500 messages limit for bulk messages). Although we have limited the number of messages in our example to 4,000+, no counter measures took place that would have prevented us from sending more messages, and for that matter sending an unlimited number of messages. Additionally, we were able to use this vulnerability to forward messages that originally were classified as spam directly to a victim's inbox effectively bypassing filters. The attack specifically exploits Gmail’s email forwarding functionality. This is possible because no restriction or verification is imposed during the setup process of this option. We were able to write a program that automatically exploits this flaw in a compromised Gmail account to send bulk and forged messages to an unlimited number of email addresses while preserving all of the message’s original fields (legitimate or forged) unaltered, including sender's identity data (From: field). Since attack messages are carried by Google's own SMTP servers, the blacklist/whitelist based trust hierarchy that exists between Google’s and other Third Parties’ email servers is compromised, effectively converting Gmail’s servers into the perfect spam/phishing aid. With this flaw, spammers need only to exploit one Gmail account in order to obtain results similar to those of a botnet based spam. To our best knowledge this is the first public description of this vulnerability and also the first proof of concept attack. Google has already been notified about this issue ad we are waiting their position to release further details."

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

1
Contributor
0
Replies
1
Views
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.