Exclusive: Google Responds To Claims Of “Serious Security Flaw”

Google says reports of an “open relay” security hole in its Gmail interface are not factually correct, according to information obtained by The Inquisitr this afternoon.

The Information Security Research Team (INSERT) released a detailed study claiming spammers could “bypass” Gmail’s security protection systems and “be granted nearly unrestricted access to Google’s…SMTP relay infrastructure.” The report claims it’s possible to “trick” Google’s servers into “functioning as open SMTP relays” and refers to the findings as a “serious security flaw.”

A Google spokesperson tells The Inquisitr, though, that the issue is actually just an abuse of Gmail’s forwarding feature as opposed to any kind of open relay exploit. It does not, he says, present any security vulnerability.

“We are aware of the potential for this kind of abuse and we have controls in place to prevent large attacks,” the spokesperson said.

Part of the concern over the INSERT report stemmed from the fact that email sent through Google is considered so secure and trustworthy by spam filters. The implication was that this flaw could give spammers an easy way to bypass those filters and get right into people’s inboxes. Google pointed out to The Inquisitr, however, that its system attaches SPF and DKIM authentications only to regular outgoing emails, not forwarded ones. Because of this, any forwards sent via Gmail will not have the “stamp” of Google’s approval, so to speak, and would be picked up by spam filters just like mail sent from any other source.

In addition to this, Google has systems in place to rate-limit forwarding as well as to detect abuse and disable misused accounts. The specifics of those systems are not made publicly available, but the representative with whom The Inquisitr spoke is confident they’d prevent Gmail from being an effective tool for any spammer. He indicated that security teams believed it’d be impractical for a spammer to set up any kind of mass operation using the concepts from INSERT’s report.

Even so, the company is taking the findings seriously and actively working to make sure its servers stay secure.

“We are also investigating additional ways we can prevent this kind of activity,” the spokesperson said.