Google has been looking into several ways of making sure that people are secure whenever they receive emails. The company has put several measures in place, including the recently announced feature for Gmail called Brand Indicators for Message Identification, a feature which basically allows the companies to verify their identities and receive a blue checkmark, which ensures that whenever a user receives an email from a verified company, they know that it is true. However, it looks like some scammers have found a way to exploit this.
The Gmail security bug can be a threat that Google needs to take care of as soon as possible
This issue was discovered by Chris Plummer, a cybersecurity engineer. Plummer found that scammers could easily deceive Gmail's authentication system. By tinkering with it, scammers were allowed to mask themselves as verified senders and, therefore, bypass all security checks. Thankfully, the bug was reported to Google, and to everyone's surprise, the search engine giant closed the report and mentioned how this behavior was intended.
Plummer then took to Twitter, talking about how this bug works and how Google simply chose to overlook it. This is what Plummer had to say:
“There is most certainly a bug in Gmail being exploited by scammers to pull this off, so I submitted a bug which Google lazily closed as “won’t fix – intended behaviour”. How is a scammer impersonating UPS in such a convincing way intended,”
There is most certainly a bug in Gmail being exploited by scammers to pull this off, so I submitted a bug which @google lazily closed as “won’t fix - intended behavior”. How is a scammer impersonating @UPS in such a convincing way “intended”. pic.twitter.com/soMq7KraHm
— plum (@chrisplummer) June 1, 2023
Google, on the other hand, has not responded to Plummer's report properly. However, considering how this does seem like a gaping flaw in Gmail's security, and considering how the news is going to get out and people are going to start questioning this, it might do some good, and we might soon see some changes. You never know.
Until Google finally fixes Gmail, I would highly advise that even when you receive an email from an account that has a verified badge, just check their actual email, and that will give you an understanding of where it is coming from. That is the only way that I can think of at the moment because, as Plummer has said, the issue is serious, and honestly, it is a lot more serious than some might think.