A new security alert has been issued to Gmail’s 1.8 billion users

5/6 update below. This post was originally published on June 3

Gmail’s security has always been one of its biggest selling points, but now one of the hottest new security features is being actively used by hackers to trick users.

submitted last month, Gmail check mark system Highlights verified companies and organizations for users with a blue check mark. The idea is to help users distinguish which emails are legitimate and which have been sent by phishing impersonators. Unfortunately, scammers cheated the system.

Monitored by a cyber security engineer Chris PlummerScammers have found a way to convince Gmail that their fake trademarks are legitimate. And in doing so, by using the trust that the checkmark system is supposed to instill against Gmail users.

“The sender has found a way to spoof gmail’s approved stamp of approval, which end users will trust,” Plummer explains. “This message went from the Facebook account, to the UK netblock, to O365, to me. Nothing about this is legit.”

Plummer reports that Google initially dismissed his discovery as “intentional behavior” before his tweets about it went viral, and the company acknowledged the error. In a statement to Plummer, Google wrote:

“After taking a closer look, we realized this actually didn’t look like a general weakness in the SPF. So we’re reopening this, and the appropriate team is taking a closer look at what’s going on.”

We apologize again for the confusion and understand our initial response may have been frustrating, thank you so much for pressuring us to take a closer look at this!

We’ll keep you posted with our assessment and the direction this issue takes.

Regards, Google Security Team”

Plummer Highlights Google has now listed the bug as a “P1” (high priority) fix, which is currently “in progress”.

Big credit goes to Plummer, not only for discovering it, but for the lengths he went to to get Google to acknowledge the problem. However, until Google fixes it, Gmail’s checkmark verification system remains broken and hackers and spammers use it to trick you into the exact thing it was supposed to be combating. Be vigilant.

Update 06/05: Security researchers are starting to understand how Gmail’s check mark verification system is being fooled and how it applies to other email services. in blog postDebugger Jonathan Rudenberg revealed that he was able to replicate the hack on Gmail, stating:

Gmail BIMI implementation only requires SPF to match DKIM signature It can be from any field. This means that any mail server that is subscribed or misconfigured in the SPF records of a BIMI-enabled domain could be destined to send spoofed messages using Gmail’s full BIMI handling…

BIMI is worse than the status quo, because it enables super-strong phishing based on a single misconfiguration in a very complex and fragile email package.”

Rudenberg also published the results of BIMI implementations on other major email services, saying:

• iCloud: Correctly verifies that DKIM matches the domain from
• Yahoo: only treats BIMI with highly reputable bulk messages
• Fastmail: Poor but also supports Gravatar and uses the same treatment for both so the effect is minimal
• Apple Mail + Fastmail: vulnerable to dangerous treatment

Yes, this means that users of Apple Mail and Fastmail should also be vigilant, even though they don’t run the same checked-mark system as Gmail. There has been a very critical response to this vulnerability from the security community, with questions being asked about how this was allowed to happen and how poorly Gmail’s verification method was implemented. Google needs a fix ASAP.

___

Follow Gordon on Facebook

More on Forbes

More from ForbesGoogle patches second Zero Day vulnerability on Chrome in a weekby Gordon Kelly