Google introduces the almighty blue checkmark in Gmail, and it’s already being exploited

Last month, Google introduced a Twitter-style blue checkmark for verified brands in Gmail. This means that anyone with the “Brand Indicators for Message Identification (BIMI) in Gmail” would have the trust of their users who would then know that the sender was, in fact, the real deal instead of an imposter.

Strong email authentication helps users and email security systems identify and stop spam, and also enables senders to leverage their brand trust. This increases confidence in email sources and gives readers an immersive experience, creating a better email ecosystem for everyone. 

The Keyword

However, it would seem that scammers have already found a way to get that blue checkmark without being verified in BIMI. According to Twitter user Chris Plummer, Google initially closed his ticket where he expressed his concern instead of taking it seriously.

Now, the ticket has been reopened, and the security team is taking it seriously. Somehow, spam senders have discovered some method in their emails of bypassing the integrity check Google performs before stamping an email with a blue checkmark. It doesn’t seem the sender has simple pasted an emoji in their name.

As Chris has stated in his tweets, there are inherent issues with even providing a blue checkmark, since regular users will take it as God’s word no matter what. He seems to think it shouldn’t even exist, and I’m inclined to agree. I can see why it would be a solution on the whiteboard, but how it made its way past that initial meeting without these vulnerabilities and opportunities for exploitation coming up is beyond me.

Luckily, the feature is brand new and hot off the press, so there should be plenty of eyes on it to hammer out the issues it’s having out of the gate. My hope is that Google can find a way to cut back on spam across all of its services using better tools than it’s provided over the past year.