Rare SMTP header injection flaw bypassed modern protections for an aging protocol

Google email domains were spoofed by an SMTP exploit in G Suite

UPDATED G Suite’s email configuration was vulnerable to a Simple Mail Transfer Protocol (SMTP) exploit that allowed attackers to spoof email messages from Google’s servers, a security researcher discovered.

After bypassing security mechanisms that offset weaknesses in SMTP, Zohar Shachar was “able to spoof emails from arbitrary ‘@google.com’ addresses”, the Israel-based researcher revealed in a blog post published today (June 15).

Discovery of the SMTP header injection flaw in G Suite, a collection of Google apps that includes Gmail, Google Docs, and Google Drive, netted Shachar a $3,133.7 bug bounty.

Google contacted The Daily Swig on June 16 to confirm that the vulnerability has now been fixed.

‘Powerful tool’

Shachar probed for flaws in G Suite by weaknesses in SMTP which “is still very much in use by just about every person who is connected to the internet”, despite dating back to the early 1980s.

“G Suite is an immensely powerful tool for account administration,” he noted, including “what email headers should be applied”.

However, only the email sender (‘MAIL FROM’), recipient (‘RCPT TO’), and email contents (‘DATA’) are native to SMTP. Other email headers – cc, bcc, and subject – were “hacked into the system” later, he added.

These bolt-ons are incorporated inside the ‘DATA’ header content as new lines, with the header name/value separated by ‘:’.

“This ‘hack’ means there are a lot of opportunities for mistakes when trying to mess with it,” said the researcher.

And since SMTP “does not enforce authentication”, he added, “if you can open a socket to an SMTP server you can instruct it to send an email to any address, and more importantly you can send this email from any address.”

The upshot: you can’t “trust the origin of the email you just received”.

Probing for a flaw

Attackers logged into Google’s admin console could ‘add a routing setting’ for inbound and outbound traffic in which they configure a ‘custom header’ to be added to all emails.

However, custom headers in G Suite have a leading ‘X-’ to preclude attackers from having full control of the header name.

Shachar’s first attempt to bypass this mechanism – injecting “a new line as part of the header name” – was stymied by another security function that blocked the inclusion of newline chars in the header name.

Unprotected flank

However, the researcher found SMTP’s unprotected flank in an “option to prepend a ‘custom subject’ to each mail”, observing that “there is no ‘subject’ in SMTP – it is just another header in the ‘DATA’ section.”

Launching his proxy and adding “newline chars (‘\r\n’) into the’ subject’ setting” meant that “newline chars were rendered at the server side and the ‘subject’ header was split into several lines.

“As each header is represented in a new line,” he continued, the rest of the payload after the newline chars was “was pushed to the next header, which in this case was the email body.”

After adding a spoofed ‘From’ header, “Gmail presented this email as if it actually came from admin@google.com.”

Trust but verify

Asked by The Daily Swig about the potential impact of malicious exploitation, Shachar said: “It’s a powerful tool for social engineering. If I send you an email from an address you trust (admin@google.com) and your email client trusts the authenticity of the email – you are likely to 'fall' for my scam (give me your password for example).”

Shachar first reported the flaw to Google on January 5, with the Gmail developer acknowledging the report on January 13.

He sent further details, including a working proof of concept exploit, on January 15.


This story was updated on June 16 to reflect the fact that the security flaw in question has now been patched


RELATED Firefox and Chrome yet to fix privacy issue that leaks user searches to ISPs