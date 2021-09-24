If you use corporate Gmail (the Workspace version), it could be that someone is getting all of your emails without you ever getting any sign of anything wrong. It’s a Gmail security flaw, first found in 2020, ostensibly recognized by Google then, but hasn’t been fixed so far.

For finding it, the developer Leandro Duarte even received a commendation: he was registered in the Google Hall of Fame and offered a prize of US$500 – which he preferred to donate to charity. But after all this party, Google seems to have forgotten about the problem.

Born in the favela of Paraisópolis, São Paulo, Leandro is the author of the book ‘Hackear Sem Programar’, in which he describes the problem and several others. He came on his own initiative to talk to the Digital Look to explain your concern.

“Google hasn’t fixed the flaw after years,” he says. “I got in touch a few times, but still nothing.”

how should work

With the presence of the developer, we were able to reproduce the problem. It’s basically this: any email from Google can be easily configured to automatically forward messages to another email. It’s a common function that has been around for many years.

To enable it, you click on ‘Settings’ (the gear), ‘All Settings’, and then the ‘Forwarding and POP/IMAP’ tab.

As below:

Check ‘Enable POP for all emails (even those that have already been downloaded)’ and ‘Enable IMAP’. Click on the ‘Add a forwarding address’ button. It will ask for confirmation in a pop-up window.

After that, the address entered will receive an email from Google asking for confirmation:

The email has a link to this confirmation in another pop-up. Once that’s done, just go back to the original email, in the same settings screen, and activate forwarding. The entire process can be done in a matter of seconds.

Where is the security hole in Gmail

So far, it’s just Gmail doing what it’s supposed to do. The glitch starts here: if a Google email is standard Gmail – that is, it ends with @gmail.com – you will get this warning:

Which states: “You are forwarding your emails to [o e-mail que você digitou]. This notice will no longer appear in 7 days”. The warning is there if the forwarding has been maliciously activated.

Here’s the bug: if the account is from Google, but it doesn’t end in @gmail.com, but you have another domain – like your work, @empresaexamplo.com.br – this notice doesn’t exist. The process is exactly the same, but no warning appears.

This happens, for example, with companies and organizations that use the paid service Google Workspace (formerly GSuite). Just be a non-personal email provided by Google, with a domain other than @gmail.

What is the risk?

The risk is not that of a brute force invasion – you need access to the Gmail configuration screen, which only happens if you are logged into the browser, with your credentials already activated.

But given how easy it is to get started, it’s not that difficult. For example, it would be enough for the CEO of a company to turn his back for 5 minutes, leaving the webmail open, for an employee to put the ‘clip’. Someone can also remotely control the machine, such as hackers through trojans, or the company’s IT staff.

In the app, there’s no way to configure – and there’s no warning either.

The same process could be done on a personal @gmail.com account. But the person would get the warning. When this is done on the professional account, the person has no clue that their emails are being sent to another person. The only way to find out is to manually open these settings and see if there’s an email forwarding set up (and remove it if there is, of course).

what google says

We searched Google for an answer. Here’s what they said:

We created our Vulnerability Rewards Program specifically to identify and fix potential bugs like this. We appreciate the participation of the researcher and the security community in general in these programs. We are looking into the matter and will take steps to help protect users. Google communication service

It’s an expected response. But they also gave an answer this afternoon, before this one, to Leandro Duarte himself. It was an update to the original problem report. And it’s quite different from the one above.

hello Leandro We wanted you to know that we discussed this [problema] with the Gmail team and we concluded that this function [isto é, o aviso] to Workspace [o Gmail empresarial] it would be interesting to maybe eventually have it in consumer accounts, but we’re not going to treat it as a vulnerability, but a suggestion of [inclusão de] occupation. Thanks again for your report. Google technical team

This answer seems quite definitive. Either Google changed its mind within hours or one answer contradicts another.

Anyway, if you have corporate Google, open the configuration and see if there is no email registered there. Just repeat the process described above.

