Google probes after scammers exploit new Gmail 'blue-tick' feature

Gmail faces a significant setback as hackers have found a way to exploit one of its recently introduced security features.

The Gmail blue checkmark system, designed to assist users in identifying verified companies and organisations, is now being manipulated by scammers to deceive unsuspecting users.

Launched in May, the checkmark system displays a blue tick next to emails from verified sources, aiming to enhance user confidence and prevent falling victim to impersonation scams. However, cybersecurity engineer Chris Plummer has uncovered a vulnerability that allows scammers to deceive Gmail into recognising their fake brands as legitimate ones.

Plummer, who initially discovered the issue, brought it to the attention of Google, only to face dismissal of his findings. It was only after Plummer's tweets about the matter gained viral attention that Google acknowledged the problem and issued a statement.

In their response to Plummer, Google stated, "After taking a closer look, we realised that this indeed doesn't seem like a generic SPF vulnerability. Thus, we are reopening this, and the appropriate team is taking a closer look at what is going on. We apologise again for the confusion, and we understand our initial response might have been frustrating.

"Thank you so much for pressing on for us to take a closer look at this! We'll keep you posted with our assessment and the direction that this issue takes."

when the going gets tough,
the tough get a tweet with 100,000+ views
thank you all. pic.twitter.com/tYiOD1zvpQ

— plum @chrisplummer.bsky.social (@chrisplummer) June 1, 2023

Recognising the gravity of the situation, Google has now classified the flaw as a 'P1' (top priority) fix, which is currently in progress. The tech giant is actively working to address the vulnerability and provide users with a secure email experience once again.

Until Google implements a fix, the Gmail checkmark system remains compromised, leaving users vulnerable to scams and fraudulent activities. 

In the meantime, users are advised to exercise scepticism and adopt additional measures to safeguard their personal information and online security.