By Eduard Kovacs on August 20, 2020
Google released a patch for an email spoofing vulnerability affecting Gmail and G Suite seven hours after it was publicly disclosed, but the tech giant knew about the flaw since April.
The vulnerability was disclosed on Wednesday by researcher Allison Husain, who described her findings in a blog post and shared proof-of-concept (PoC) code. The issue, related to missing verifications when configuring mail routes, could have been exploited by an attacker to send an email as another Gmail or G Suite user while bypassing protection mechanisms such as DMARC and SPF.
