In a recent intelligence report, the U.S. Department of Homeland Security has revealed serious weaknesses in Gmail’s new interface, many of which appear to be highly exploitable. As a top email service released in April 2004, Gmail has become the de-facto mode of digital communication for many people, especially those using an Android mobile device. As per the DHS report, Gmail’s new “Confidential email” feature opens up a loophole which cybercriminals can use easily use as a launchpad for phishing attacks.
The intelligence report was initially released to all law enforcement agencies and the larger cybersecurity industry. Lesley Fulop, the spokesperson of DHS notes, “We have reached out to Google to inform them of intelligence relevant to their services and to partner to improve our mutual interests in cybersecurity.”
Google has created “confidential email” as a response to a user’s need to forward, copy, download, and print an email of their choice in a much easier manner. It also empowers the user to enable two-step verification and email expiration for particular emails they want to share with others. Unfortunately, its convenience benefits scammers as well, who are able to copy the email format and create a phishing email that looks like a legitimate “confidential” one.
These types of fake emails can be loaded with malicious links, that when clicked, will take over the host machine and turn it into a botnet by infecting the machine with ransomware. In response, Google spokesman, Brooks Hocog clarified, “Google is committed to ensuring the security of its users’ personal information and employs tools to protect that information. It uses “machine learning” algorithms to detect whether incoming emails are potential phishing attempts and uses image scans to find any hidden malicious content in emails. Such efforts, among others, have led to the filtering out of more than 99.9 percent of phishing attempts in Gmail.”
John Cohen, former Acting Undersecretary of DHS, shared his opinion, “Gmail may actually place users at a higher risk because it may support a pattern of behavior where people click on links they receive. In today’s threat environment, cybersecurity is a shared responsibility; nothing is more critical to the government, the private sector, and the general public. They’re the primary method they use to provide updates and insights about emerging threats to private sector entities like state, local, and tribal government—and sometimes other federal agencies.”
Cohen further explained, “Those who spend a lot of time on email systems or perusing the internet need to keep up to date on different cyber threats that are out there. One person can place at risk an entire information system. So it’s very important people don’t click on links when receiving suspicious emails, especially if they don’t recognize the sender.”
Hocog emphasized that the “Confidential Email” feature will not make users click random links irresponsibly. The Gmail app will also not prompt the user to re-enter their account credentials when using this confidential feature. Electronic Frontier Foundation, a non-profit organization who publicly advocates the protection of online privacy has spoken about the issue. Senior staff technologist, Jeremy Gillula says, “The ‘Confidential Email’ feature is a step in the wrong direction when it comes to online security. The potential security risk of clicking links outweighs the benefits of the feature.”
At best, the feature is an opt-in case. Users themselves need to manually enable the “Confidential Email” system before it becomes available for use. DHS strongly recommends not enabling it until Google takes an action to address the concern.