Just as on Twitter or Instagram, there are verified users on Gmail. In this system supported by Brand Indicators for Message Identification (BIMI), companies need to declare that the brand logo they use as an e-mail avatar really belongs to them. So it automatically gets a blue tick.Google BIMI system being abused
According to the incident uncovered by a security engineer, cyber attackers can abuse the BIMI system and send emails to users like a real business. This poses a potential risk of being scammed.
The interesting part happened when the engineer transferred the subject to Google. Google did not take the request seriously and defined an individual event. The engineer also found the last resort in tweeting. When the engineer attracted attention in a short time, Google had to take a step.
Re-evaluating its response in the first place, Google has prepared a patch for the BIMI vulnerability that provides fake business appearance. The patch will be applied shortly. In the meantime, it is unknown if there are any users who are victims of the vulnerability.
40680
