A New Hampshire resident recently caught a security bug on a Google email platform used by more than a billion people — and the company now lists the vulnerability as a top priority fix.
Cybersecurity architect Chris Plummer, who lives in Manchester, said he received a Gmail message last week that appeared to come from a verified sender, but it seemed suspicious.
“The body of the message really had nothing in it,” Plummer said. “But what it did have was a UPS logo that had been applied by Google to the message.”
The email also had a verification mark on it, as part of a new feature to label email senders checked by Google. Plummer said it seemed more serious than a typical piece of junk mail.
“I knew this was almost certainly a bug in Gmail,” he said. “This had the possibility to allow complete strangers to impersonate a major brand like UPS and convince Google that the message was authentic.”
Plummer reported the glitch to Google. At first, he said, the company dismissed his complaint. But Plummer also shared his findings on Twitter — and after his post gained traction, the company revisited the bug.
“Google completely changed their mind, which was unbelievable,” he said. “In fact, I had a personal outreach from someone who worked at Google and said, ‘Listen, we’re really sorry about this, we got it wrong.’”
Plummer said he hopes this story brings attention to how even big platforms can be vulnerable to email scams.