A month ago now, you will remember, we told you that Google was implementing a verification system in Gmail which uses, as a distinctive, the already very popular “blue check” that we have been seeing for years in other services and which, for some time now, have become another monetization tool. The most obvious example of this is, of course, Twitter, but we must not forget that, in its shadow, Meta has proceeded in the same way with Facebook and Instagram.
Unfortunately, as we have seen in the past, payment-based verification systems can be wildly unreliable, but in the case of Twitter that has not been enough for those responsible to keep the old ones, those yes, reliable verified. Thus, as a first consequence of monetization based on these elements, we must take into account whether or not the services charge for it, in order to grant more or less reliability both to their identity and, therefore, to their contents. . And it is that whether or not verifying an account depends on whether it generates income, we can already imagine which element has the most weight in the equation.
However, when the verified is granted based on an account validation system, in which the economic issue does not intervene, This already offers us a certain guarantee that we do not have in other types of cases.. In other words, if the verified person is not paid, they gain many points in credibility, and this is the model used by Google in the implementation of the blue check in Gmail, which, at least in its first phase, is limited exclusively to companies and entities. , in order to combat the fearsome and present phishing.
There is most certainly a bug in Gmail being exploited by scammers to pull this off, so I submitted a bug which @Google lazily closed as “won’t fix – intended behavior”. How is a scammer impersonating @UPS in such a convincing way “intended”. pic.twitter.com/soMq7KraHm
— plum (@chrisplummer) June 1, 2023
However, and although the intention is good, it seems that the implementation of this system has some problem. As detected and communicated by the cybersecurity engineer Chris Plummer in your Twitter account, a bug in Gmail allows a fake account to be identified as verified. In the example that you post in your message, we can see how an email address that has nothing to do with the UPS courier and parcel service was identified as legitimate.
In the first instance, after reporting this problem to Google, the company responded that this problem was in the scenario considered as normal use of the service and that, therefore, it was not going to be solved. However, after some pressure from Plummer, Gmail’s security officers reconsidered their initial stance, saying they had misinterpreted the original message, Well, this is actually a pretty serious security problem..
Thus, as of today, we know that this issue is a top priority for Google’s engineering teams, and therefore we can trust that it will be resolved within a reasonable time frame. Meanwhile, yes, if you receive an email in your Gmail account and it includes the verified symbol, keep this problem in mind when assessing its credibility… that is, do not trust the blue check and that, therefore, you proceed as you would with an email that does not have said verification.
