The feature, known as the Gmail checkmark system, was introduced last month to help users identify verified companies and organizations through a blue checkmark, making it easier for them to identify messages from legitimate senders versus impersonators. However, cybercriminals have managed to trick Gmail’s verification process, raising questions over the integrity and security of the email platform. New Hampshire Cybersecurity engineer Chris Plummer was the first to notice this vulnerability. He found out that scammers are spoofing Google’s new “Brand Indicators for Message Identification,” or BIMI, system in Gmail, reported first by Forbes. For those uninitiated, Brand Indicators for Message Identification (BIMI) in Gmail is a feature that requires senders to use strong authentication and verify their brand logo in order to display a brand logo as an avatar in emails. As per Plummer, he received a malicious spoofed email in his Google inbox, which was incorrectly checkmarked to show that it was sent by UPS. He found out that hackers had successfully used a flaw in the checkmark system to deceive Gmail into believing that the emails coming from the fake brands are legitimate. After discovering the issue, Plummer reported the vulnerability to Google through its bug bounty program. Sadly, though, Google didn’t believe his discovery and rejected his report with the message “won’t fix – intended behavior”.
— plum (@chrisplummer) June 1, 2023 “How is a scammer impersonating @UPS in such a convincing way ‘intended’[?] he wrote. “The sender found a way to dupe @gmail’s authoritative stamp of approval, which end users are going to trust. This message went from a Facebook account, to a UK netblock, to O365, to me. Nothing about this is legit.” It was only after Plummer’s tweets about the problem became viral, did Google agree that there was a mistake and deployed a team to investigate the matter. The company has reopened the bug report and listed the flaw as a ‘P1’ (top priority) fix, which is currently “in progress.” “After taking a closer look, we realised that this indeed doesn’t seem like a generic SPF vulnerability. Thus we are reopening this, and the appropriate team is taking a closer look at what is going on,” Google said in a statement. “We apologise again for the confusion, and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this! We’ll keep you posted with our assessment and the direction that this issue takes.” In a statement given to SC Media, Google said, “This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are. To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status.” Since Google is still working on a solution to fix the current security loophole in Gmail’s checkmark system, users remain susceptible to potential scams and phishing attempts until the issue is resolved. Hence, users are advised to exercise caution and remain wary when dealing with email communications.