Tyler SchmidtkeJun 5, 2023
Jonathan Rudenberg
"increase the value of your brand"
Jun 3, 2023 at 5:46pmWeb
Show threadJonathan RudenbergJun 3, 2023

Gmail's BIMI implementation only requires SPF to match, the DKIM signature can be from any domain.

This means that any shared or misconfigured mail server in a BIMI-enabled domain's SPF records can be a vector for sending spoofed messages with the full BIMI ✅ treatment in Gmail.

Until today, there was a Microsoft 365 configuration that would happily forward messages with a spoofed RFC5321.MailFrom (envelope) address intact, which allowed spoofing messages from any of the 775 domains that are both BIMI-enabled and allow outlook.com in their SPF.

More vectors like this almost certainly exist, the implementations and configurations of email forwarding are extremely complicated, as discussed in the recent Forward Pass paper: https://arxiv.org/abs/2302.07287

BIMI is worse than the status quo, as it enables super-powered phishing based on a single misconfiguration in the extremely complicated and fragile stack that is email.

Other BIMI implementations:

iCloud: properly checks that DKIM matches the From domain
Yahoo: only attaches BIMI treatment to bulk sends with high reputation
Fastmail: vulnerable but also supports Gravatar and uses the same treatment for both so the impact is minimal
Apple Mail + Fastmail: vulnerable with a dangerous treatment

Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy

The critical role played by email has led to a range of extension protocols (e.g., SPF, DKIM, DMARC) designed to protect against the spoofing of email sender domains. These protocols are complex as is, but are further complicated by automated email forwarding -- used by individual users to manage multiple accounts and by mailing lists to redistribute messages. In this paper, we explore how such email forwarding and its implementations can break the implicit assumptions in widely deployed anti-spoofing protocols. Using large-scale empirical measurements of 20 email forwarding services (16 leading email providers and four popular mailing list services), we identify a range of security issues rooted in forwarding behavior and show how they can be combined to reliably evade existing anti-spoofing controls. We further show how these issues allow attackers to not only deliver spoofed email messages to prominent email providers (e.g., Gmail, Microsoft Outlook, and Zoho), but also reliably spoof email on behalf of tens of thousands of popular domains including sensitive domains used by organizations in government (e.g., state.gov), finance (e.g., transunion.com), law (e.g., perkinscoie.com) and news (e.g., washingtonpost.com) among others.

arXiv.org
Show threadJonathan RudenbergJun 3, 2023

I replicated the Microsoft 365 spoofing issue after Chris Plummer spotted it being exploited in the wild against ups.com: https://twitter.com/chrisplummer/status/1664075886545575941

Chris eventually posted the headers and after a bit of fiddling in Exchange Online, and many cursed Powershell cmdlet errors from the web UI, I figured out how it worked.

I reported it to MSRC, but I think they failed to triage properly because they closed the report as wontfix yesterday. Today I noticed that they fixed it by rewriting the envelope sender, presumably because either Google or UPS contacted them about it.

UPS also removed outlook.com from their SPF at some point yesterday.

plum on Twitter

“There is most certainly a bug in Gmail being exploited by scammers to pull this off, so I submitted a bug which @google lazily closed as “won’t fix - intended behavior”. How is a scammer impersonating @UPS in such a convincing way “intended”.”

Twitter
Show threadJonathan RudenbergJun 7, 2023
Great coverage of the BIMI spoofing issue from AJ: https://cyberscoop.com/security-professionals-tweet-bimi-google-gmail/
Security professional's tweet forces big change to Google email authentication

Gmail is tightening its implementation of an email security protocol after a researcher discovered a flaw allowing brands to be impersonated.

CyberScoop
Show threadJonathan RudenbergJun 16, 2023
So @fastmail didn’t respond at all to my report sent to security@ about the BIMI spoofing issue. The auto reply from their ticket system claimed that it may take “10 business days to respond” which elapsed this morning (and is way too long for an initial response to a security issue).
Show threadJonathan RudenbergJun 16, 2023
Annnd tagging @fastmail here got an immediate response to the ticket confirming that as of this week they "now require an aligned DKIM pass for BIMI".
Show threadyukoffJun 22, 2023
@titanous @fastmail Hey @rjbs this isn't the things people would like to hear :(
Show threadGerardo LisboaJun 3, 2023
@titanous "Won't fix" as in "we won't pay you a bounty"?
Show threadJonathan RudenbergJun 3, 2023

@gvlx Definitely no bounty.

Full email: https://gist.github.com/titanous/b949c744cfd0be35b9980377bae780a8

msrc_bimi_wontfix.md

GitHub Gist: instantly share code, notes, and snippets.

Gist
Show threadNogweiiJun 3, 2023
@titanous Do any BIMI implement the signature checking thing? Its been a minute since I read the spec, but IIRC, there is supposed to be a signed identity verification doc (some json) along with the logo. And that it chained up to only a couple of vendors.
Show threadJonathan RudenbergJun 3, 2023
@nogweii Yes, that's the Verified Mark Certificate, which Gmail, iCloud, and Fastmail verify before showing the treatment. It asserts that a specific SVG is associated with specific domain names. This relies on the CAs (currently Entrust/DigiCert are trusted broadly) to do organization validation (something that WebPKI Extended Validation demonstrated is extremely fraught), domain validation, and then additionally validate that the SVG matches a registered trademark issued to that organization.
Show threadNogweiiJun 3, 2023

@titanous yeah, that extended verification is pretty silly, as you've highlighted with the lessons learned from WebPKI.

Should I also interpret your list that other mail providers aren't checking the Verified Mark? If so, even more evidence! 🤡

Show threadJonathan RudenbergJun 3, 2023
@nogweii The only other implementer afaik is Yahoo and they say that they don't require a VMC but only add the treatments to bulk sends with high reputation.
Show threadGlyphJun 3, 2023
@titanous goddamnit. DKIM is like half of a good idea, I thought the whole point of BIMI was to incentivize its use. Why is SPF still a thing!!?!
Show threadGlyphJun 3, 2023
@titanous is this a flaw everybody is going to remediate or is it just gonna be BEC-as-a-service forever
Show threadJonathan RudenbergJun 3, 2023

@glyph Google is looking into it: https://twitter.com/chrisplummer/status/1664348988143722500

I emailed Fastmail but haven't heard back.

plum on Twitter

“sometimes in this really cold line of work there is warmth”

Twitter
Show threadJonathan RudenbergJun 3, 2023
@glyph For some reason they overindexed on DMARC and technically messages that have aligned SPF and any DKIM state (including none or a different domain!?) are considered valid by DMARC. Buried in a separate draft there is suggestion that _maybe_ just relying on DMARC isn't enough: https://datatracker.ietf.org/doc/html/draft-brotman-ietf-bimi-guidance#name-validation-of-a-bimi-messag
General Guidance for Implementing Branded Indicators for Message Identification (BIMI)

This document is meant to provide guidance to various entities so that they may implement Brand Indicators for Message Identification (BIMI). This document is a companion to various other BIMI drafts, which should first be consulted.

IETF Datatracker
Show threadGlyphJun 3, 2023
@titanous we just need something like https for From headers why won’t anyone just implement that
Show threadmx alex tax1a - 2020 (6)Jun 3, 2023
@titanous we rely on the fact that the DKIM signature just needs to be there in order to pass these garbage roadblocks. turns out, "one more DNS-based signature scheme, bro, just one more, then email will be good, just gotta hash and sign the message and check the DNS pubkey with one more protocol" isn't, actually, making email any better.
Show threadJonas LederJun 4, 2023
@titanous or just give us your money, like always.
Show threadAlex LiuJun 5, 2023
@titanous Its time to point everyone to our paper: https://www.sysnet.ucsd.edu/~voelker/pubs/forwarding-eurosp23.pdf
Show threadJonathan RudenbergJun 5, 2023
@aliu I did in the next post in my thread! Great paper!
Show threadAlex LiuJun 5, 2023
@titanous thanks glad its on your radar 👍​