Google Fixes Major Gmail Bug Seven Hours After Exploit Details Go Public (zdnet.com) 39
Google has patched on Wednesday a major security bug impacting the Gmail and G Suite email servers. From a report: The bug could have allowed a threat actor to send spoofed emails mimicking any Gmail or G Suite customer. According to security researcher Allison Husain, who found and reported this issue to Google in April, the bug also allowed attachers to pass the spoofed emails as compliant with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), two of the most advanced email security standards. However, despite having 137 days to fix the reported issue, Google initially delayed patches past the disclosure deadline, planning to fix the bug somewhere in September. Google engineers changed their mind yesterday after Husain published details about the bug on her blog, including proof-of-concept exploit code.
Why the delay? (Score:3)
Did Google comment on why they weren't more responsive on a fix? That seems like an egregiously long time to wait given all the active phishing gangs at work.
Re:Why the delay? (Score:5, Insightful)
Would you care if they did? Are you imagining a world where you'll get a candid, non-weasel worded explanation from Google?
1999 called. They want their naive innocence back.
Re:Why the delay? (Score:4, Insightful)
You can be curious all you want. Google will not be forthcoming about why they squatted on this for half a year. The best you can hope for is some mid level cannon fodder bleating about coronavirus herp derp; the universal excuseall of our time.
Re:Why the delay? (Score:5, Interesting)
Google only subscribes to the "90 days is plenty of time to fix a flaw" rule with other companies' serious flaws... not its own.
Re: (Score:2)
Google only subscribes to the "90 days is plenty of time to fix a flaw" rule with other companies' serious flaws... not its own.
Google is a big company with lots of views on lots of things. Project Zero has 0day'd Google products who were slow to patch. If P0 had found the bug it would have been disclosed in 90 days, not 137.
Re:Why the delay? (Score:5, Insightful)
It's almost like allowing Google to become a single point-of-failure for the Internet is a bad idea.
Re: (Score:2)
It's almost like allowing Google to become a single point-of-failure for the Internet is a bad idea.
Cloudflare called, and wants to have 1,111 words with you. [techcrunch.com]
Re: (Score:3)
the bug also allowed attachers to pass the spoofed emails as compliant with SPF
I would even settle for a carefully worded article from ZDNet.
The 90's also want their quality of reporting back.
Re: (Score:2)
Re: (Score:3)
Well, if Google wants to give everyone a hard 90 day deadline before going public, then they should play by the same rules they impose on others, right?
And things are even easier on Google. Unlike a flaw in a core OS component that requires tons of testing to make sure the fix doesn't cause regressions, a fix in Gmail is easy to test and deploy.
So if Google can give Microsoft and Apple
Re: (Score:2)
should
Fantasy. Google doesn't care about "should." Maybe it once did. And maybe it occasionally pretends to now when convenient. But otherwise Google doesn't give fuck #1 about "should."
Further, the fact the Google doesn't care isn't an actual problem. The problem is that anyone — individuals, regulators, law makers, competitors, etc. — were ever foolish enough to think it did, or that it would continue to do so, or that it ever did in the first place.
Suckers all.
Re:Why the delay? (Score:5, Insightful)
Re: (Score:3)
The security researcher should have exploited the bug to send embarrassing company-wide messages posing as the CEO.
That might have spurred them into action without the need to make the details public.
Re:Why the delay? (Score:5, Insightful)
Of course security issue should be treated faster, but it's also possible that Google used that to monitor who tried to abuse it. There's a large set of options that can explain the delay. The exploit being released for anyone to use makes is more important to fix now.
That's a somewhat naive view on things, and the reality is probably more complex, but as a software developer I see some reasons to not deploy a fix ASAP. It's even possible the fix they deployed *now* is not the final one but only a quick mitigation.
Re:Why the delay? (Score:4, Interesting)
Oooh, I like your insidiuos thinking! Patch the bug, but leave a "fake" bug that makes it appear as though the bug is still present. Next, wait for them to exploit it and use the spoofed emails to identify the hacker. I love it! Finally, remove the "fake" bug once the exploit goes public.
I doubt this is what happened, but it would be kinda cool if it was.
Re: (Score:3)
(also deep into conspiracy territory)
I'd be more inclined to believe that an alphabet agency was already exploiting said bug and put pressure on Google not to fix it.
Re: (Score:2)
Is it critical?
No, but it's pretty bad...
Push it to tomorrow, we'll get to it after these critical issues are patched
Months pass...
It's a security issue - not too bad - but it's now published with proof of concept code!
Damn it, OK today is it's lucky day.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Or countries, more like it
Reasons for anti-trust investigations:
1. To coerce companies to help with backdoors
2. For politicians and regulators to get "donations", legal and otherwise
3. Because of pure anti-trust concerns of The People, severed from helping out competition by the politicians' friends and stock market manipulator friends.
It is doubtful 3 even exists except in rhetoric-space.
Link? (Score:2)
Why is there no link to the blg post on tfa, but a zdnet artcle instead?
Can fix Gmail but not Pixel 3 Bluetooth. (Score:2)
https://support.google.com/pix... [google.com] https://support.google.com/pix... [google.com] https://forum.xda-developers.c... [xda-developers.com] https://support.google.com/pix... [google.com] https://support.google.com/pix... [google.com] https://support.google.com/pix... [google.com] https://www.reddit.com/r/Googl... [reddit.com] https://www.reddit.com/r/Googl... [reddit.com] https://www.reddit.com/r/Googl... [reddit.com] https://www.reddit.com/r/Googl... [reddit.com] https:// [xda-developers.com]
Re: (Score:1)
It's almost as if two entirely different engineering groups and specializations are involved in Gmail, and hardware support on a phone.
What a shocker!
Re: (Score:2)
I have a launch day pixel 3 xl and never had any issues with bluetooth. I pair it every where I go, car, boat and headphones. /shrug
Was this the cause of this morning's outage? (Score:5, Interesting)
I wonder if this was the cause of this morning's 7-hour G Suite outage.
Re: (Score:2)
And http://voice.google.com/ [google.com] users were unable to upload and send images starting last night PDT. I don't know when it was fixed, but it was working this late morning PDT.
Next time use the exploit to report the issue? (Score:2)
Using the exploit to spam google perhaps would probably sped up the process?
The real reason (Score:2)
I can think of only one reason why a company would delay the rollout of a security fix they had developed: A government they are in bed with wanted to use that security hole for its own purposes. Only once the exploit code was made public and it became a larger risk to common users did google release the fix they had been withholding at the orders of $gov.
Re: (Score:2)