Google has tightened up Gmail security after a researcher successfully spoofed emails to the company founders Sergey Brin and Larry Page.
Mathematician Zachary Harris used a flaw in Google's implementation of the DomainKeys Identified Mail (DKIM) standard to send emails to Brin and Page which were purportedly from each other, technology publication Wired said on Tuesday.
DKIM is a security standard that is designed to mitigate phishing and other spoofing attacks by cryptographically associating a domain name with an email message.
Google had used a weak 512-bit key to sign emails from a legitimate corporate domain, rather than the recommended key length of 1,024 bits proposed in RFC 6376.
Harris cracked the Google key using Amazon Web Services cloud computing at a cost of US$75. Google is now using stronger DKIM keys, a Google spokeswoman told Wired.
A number of organisations are still using weak DKIM keys, leaving themselves open to phishing attack, US-Cert warned in an advisory, adding that organisations should revoke and replace DKIM keys that are less than 1024 bits, said US-Cert.
Google had not responded to a request for comment at the time of writing.
_(37).jpg&h=140&w=231&c=1&s=0)
_(33).jpg&h=140&w=231&c=1&s=0)
Cyber Resilience Summit
iTnews Executive Retreat - Security Leaders Edition
Huntress + Eftsure Virtual Event -Fighting A New Frontier of Cyber-Fraud: How Leaders Can Work Together
iTnews Cloud Covered Breakfast Summit
Live & Hands On Demo: Navigating the BMC AMI DevX Platform to Understand Code Faster Using AI
_(1).jpg&h=140&w=231&c=1&s=0)
