Gmail’s new blue checkmark verification system debuted less than a month ago and was designed to help businesses verify their marketing emails and distinguish them as legitimate. However, the system’s effectiveness falls short of its noble goal.
Last week, Chris Plummer, a senior cybersecurity architect for Dartmouth Health, took to Twitter to expose a flaw in Gmail’s blue checkmarks, revealing that it is possible to forge these badges.
The verification process relies on Brand Indicators for Message Identification (BIMI), DMARC (Domain-based Message Authentication, Reporting, and Conformance), and a Verified Mark Certificate (VMC) issued by trusted certification authorities like Entrust or DigiCert. These measures are intended to verify both the logo and the associated domain.
Vindication for Plummer
Plummer refrains from divulging the specific methods scammers use to circumvent the system. However, he provides an example of an email from a scammer. It utilized the UPS logo and a domain incorporating “ups.com” to imitate an official checkmarked email.
This revelation is concerning, particularly given that an initial bug report filed by Plummer was dismissively marked as “intended behavior” by Google. However, the company eventually reversed its stance and reopened the issue, leaving room for potential fixes, albeit without a specified timeline.
Although a verification system like this could offer significant benefits, scammers persistently seek out vulnerabilities.
Changes will be implemented
In response to the situation, Google has released a statement explaining that the issue arises from a third-party vulnerability. In addition, it states that senders will now be required to adhere to the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for blue checkmarks.
This new requirement will be implemented by the end of the week.
This incident highlights the constant battle between security measures and determined scammers. Despite the setback, Google’s commitment to user safety is evident in its efforts to address the issue promptly and enhance the authentication process.