Gmail’s Security Hole Could Allow Mass Spam
The INSERT (Information Security Research Team) reports that Gmail is vulnerable to receive man-in-the-middle attack with which spammers could send mass e-mails through Google's SMTP service, while simultaneously evade detection, as reported by Arstechnica on May 10, 2008.
The investigators at INSERT indicated that this attack successfully passes both the Google's protection mechanisms against identity fraud and the existing 500-address restriction on mass e-mail. A security loophole in Gmail, allows spammers to distribute a potentially massive volume of messages, is certainly creates a problem, however, there is another outside factor that could provoke a spam attack.
In the wake of high amount of spam that currently comprises 95% of the total e-mail, many providers of e-mail have adopted blacklists and whitelists as their initial attempts to protect against this surge. According to that, while any of the existing e-mail services would automatically block messages from not so reputable addresses like firstname.lastname@example.org, a message from an authenticated, trusted source, e.g. Gmail, would be automatically allowed pass through the e-mail provider's gateway.
E-mail service providers routinely use filtering services at multiple levels to be able to identify a forged Gmail communication arriving as a spam, but the message overcomes a substantial barrier to delivery because of the name involved.
Every e-mail, originating from Google, seems to particularly enjoy a favorable regard from both Hotmail and Yahoo. The INSERT tested the level of trust among the three main e-mail service providers by dispatching spam mails to Hotmail and Yahoo from two sources. The first trial included sending of messages from private e-mail systems, whose Internet Protocol addresses received a blacklist label from Hotmail and Yahoo. The second trial included the dispatch of the same messages through the INSERT-discovered Gmail flaw.
The results of the tests showed that while e-mail dispatched to Hotmail and Yahoo from the IP that was blacklisted, didn't even always reach the spam box of the account. But the forged e-mails dispatched via Gmail necessarily arrived into the account's inbox.
Therefore, INSERT concludes that no security loophole should be allowed to survive in a service or product so that the ecosystem remains undamaged.
Related article: Gmail Users at the Mercy of Firefox Exploit
» SPAMfighter News - 16-05-2008