By Eduard Kovacs on March 09, 2015 Researchers have identified a security issue in the Google Apps Admin console that could have been exploited to claim any domain and use it to send out spoofed emails.
Patrik Fehrenbach and Behrouz Sadeghipour said they noticed last month that they could use the Google Admin console, which allows administrators to manage their organization’s Google Apps account, to gain temporary ownership of any domain that wasn’t previously claimed.
The experts conducted some tests by claiming two domains owned by Google itself. The targeted domains were ytimg.com, which is used to host Youtube images and scripts, and gstatic.com, which is used by Google for loading content from its content delivery network (CDN). Full Article
Email Spoofing Flaw Found in Google Admin Console
+54
http://regmedia.co.uk/2015/02/10/phishing_4563.jpg?x=648&y=429&crop=1
http://www.theregister.co.uk/Design/graphics/icon/twitter.png http://www.theregister.co.uk/Design/graphics/icon/facebook.png http://www.theregister.co.uk/Design/graphics/icon/google_plus.png10 Mar 2015 at 00:58, Darren Paul Security probers Patrik Fehrenbach and Behrouz Sadeghipour have found a (since-patched) flaw in Google Apps that allowed criminals to register corporate domains and send white-listed phishing emails from admin addresses.
The Choc Factory patched the flaw and handed the duo US$500 by way of thanks.
the flaw meant attackers could register the name of a company that had not signed up to Google Apps for Work, then send phishing emails to staff that appear to come from a legitimate corporate domain. The ruse meant those poisoned messages did not trip spam filters.
full article
http://www.theregister.co.uk/Design/graphics/icon/twitter.png http://www.theregister.co.uk/Design/graphics/icon/facebook.png http://www.theregister.co.uk/Design/graphics/icon/google_plus.png10 Mar 2015 at 00:58, Darren Paul Security probers Patrik Fehrenbach and Behrouz Sadeghipour have found a (since-patched) flaw in Google Apps that allowed criminals to register corporate domains and send white-listed phishing emails from admin addresses.
The Choc Factory patched the flaw and handed the duo US$500 by way of thanks.
the flaw meant attackers could register the name of a company that had not signed up to Google Apps for Work, then send phishing emails to staff that appear to come from a legitimate corporate domain. The ruse meant those poisoned messages did not trip spam filters.
full article
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.