I got emails — G Suite Vulnerability
After recent finding about Uber and SendGrid bug, I decided to check other third party applications that were also used for similar cases. During the investigation, some third party applications were found to be vulnerable including G Suite.
The initial research of this vulnerability started when investigating a vulnerability on whatsapp.net. It was interesting to see that whatsapp.net had its DNS in following manners (Image attached)
Based on this we can see that the MX setup is through Google specifically through G Suite.
Next, I went to G Suite signup page, and then signed up for the domain which created email id firstname.lastname@example.org. At first, this did not bring any security risk because for G Suite to properly work, a domain ownership verification is required so going to gmail.com would show the following screen.
This shows that without domain verification nothing could be done. However when looking up how forwarding and routing was done with G Suite I found this document by Google: https://support.google.com/a/answer/2368153?hl=en
This stated that one could set a routing by using the Default Routing tab in Gmail Advanced settings located at G Suite. This should still require domain verification. However, it did not.
It did not take much work after that to set the route in the following manners:
Next, I decided to send a test email to email@example.com which then arrived to my private email. Once that was verified to work I submitted the report to Facebook Security team through https://facebook.com/whitehat. Facebook fixed it in about 4 days of the report being sent.
Next, I found similar issue on Yelp through their yelp-support.com domain. Once I found the vulnerability on Yelp I realized this could be more wide spread than I had originally thought so I reached out to Google security team and reported it to their team as well.
In about 1 day of my report, Google fixed the issue from their side so now when trying to use Gmail’s advanced settings without verified domains will give the following alert:
“We are unable to process your request at this time. Please try again later. (Error #1310)”
In the end, this vulnerability was fixed by Facebook, Google and Yelp by January 31, 2017.