June 7, 2023

Google’s Gmail checkmark system, which uses a blue checkmark to help users identify recognized corporations and organizations, is reportedly being utilized by fraudsters to trick users and undermine its original purpose.

The weakness was discovered by cybersecurity engineer Chris Plummer, who demonstrated that scammers had discovered a technique to mislead Gmail into recognizing their bogus brands as authentic, undermining the trust that the checkmark system was intended to inspire.

Google first ignored Plummer’s findings before admitting their error and taking the situation seriously. They told Plummer that they were actively examining the problem and that it was their top priority to resolve.

Later, Google apologized for dismissing Plummer’s conclusions and reopened the probe by appointing a team to undertake a thorough review. They praised Plummer for his persistence and vowed to keep the general public aware of their findings and the efforts they were taking to remedy the problem.

Jonathan Rudenberg, a debugger, also uncovered a vulnerability in Gmail’s BIMI implementation, known as Gmail Checkmark. He discovered that Gmail merely checks the SPF (Sender Policy Framework), enabling the DKIM (DomainKeys Identified Mail) signature to come from any domain. This implies that a shared or incorrectly configured mail server on a BIMI-enabled domain can be used to send bogus emails to Gmail with the full BIMI treatment. Rudenberg went on to say that BIMI weakens email security by allowing phishing attacks with just one email system misconfiguration.

The sources for this piece include an article in Forbes.