Summary: Google Admin Console has a Security Flaw which can be used by attackers to claim domains and send out spoof emails.
As reported by Security Week, Patrik Fehrenbach and Behrouz Sadeghipour found a security flaw in Google Admin Console to gain temporary ownership of any domain. Google Admin Console is actually a web platform from where administrators manage their organization’s Google Apps account.
Researchers conducted some tests by claiming ytimg.com, which is used to host Youtube images and scripts, and gstatic.com, which is used by Google for loading content from its content delivery network (CDN). These two domain are owned by Google itself.
The researchers then used these domains to create users – email@example.com & firstname.lastname@example.org to send out mails.
Last month, we were able to report a vulnerability to Google where we were able to email from any domain that has not been claimed by its owner previously. For example, using google itself as a victim, we were able to claim domains such as ytimg.com and gstatic.com.
So not only we are claiming other domains, we were successfully able to trick the Google Mail Server into accepting a wrong FROM parameter. Google patched this vulnerability by simply with applying a FROM email@example.com
Google has addressed this vulnerability and the researchers have been awarded $500 for their efforts. Earlier too, other researchers identified even more serious vulnerabilities in the Google Apps Admin console. A researcher was reportedly awarded $5000 from Google after discovering Critical Cross-Site Scripting (XSS) vulnerability in the Admin Console in January.
Both Google & Apple are expected to release fixes for the FREAK Security Vulnerability, a legacy Secure Sockets Layer (SSL) and Transport Layer Security (TLS) security flaw which allows hackers to launch SSL Man-in-the-Middle (MITM) attacks.