BIMI-Related Gmail Vulnerability Is Probed By Google
Gmail spoofing vulnerability sparks Google ‘Priority 1’ probe
Monday, June 5, 2023
Google launched a “Priority 1” investigation into a Gmail security vulnerability after initially dismissing it as “intended behavior” that did not require a fix.
The vulnerability relates to the Brand Indicators for Message Identification (BIMI) email authentication method, a feature Google introduced to Gmail in 2021 but only recently rolled out to all 1.8 billion users of its email services.
With BIMI, a blue tick verification symbol is displayed on emails when the brand logo displayed as the sender’s avatar has been authenticated as matching the company claiming to be sending the email. BIMI is not exclusive to Google, rather it is part of ongoing efforts by a working group with a broad range of members who support the verification standard. The flaw brought to Google’s attention only impacts its own implementation of BIMI.
UPDATE (6/5 1:45pm ET): In a statement to SC Media sent after this report initially published Google said: