Skip to Content
© Savconstantine | Dreamstime.com
Security & privacy

Gmail fixes dangerous bug — steps to protect your account now

Google has more power and pull on the web than you might think. This company, now one of the largest in the world, controls a significant majority of the internet’s ad power and revenue. Plus, it’s responsible for one of the largest communication platforms you can use today: Gmail.

Not only does Gmail give users more space than they could ever fill for emails and files, but it also offers a plethora of features that make sending and organizing messages even easier than before. Tap or click here for our favorite Gmail tricks and hacks.

Because Gmail is so widely used, a security issue affecting the platform would threaten a wide swath of internet users. And that’s exactly what’s happened — an unusual bug in G Suite could’ve allowed emails sent via Gmail to be spoofed to appear like any other sender on the platform.

We’ll show you how this bug works and how you can protect your account from dangerous threats like this one.

G Suite bug would’ve let hackers pretend to be any Gmail user

Google has patched a major security flaw within its G Suite family of applications, which includes Gmail, Google Meet and Google Docs, among other productivity software.

The bug, initially discovered by security researcher Allison Husain, involved a combination of back-end G Suite exploits that could allow hackers to manipulate email routing data to masquerade as any Gmail user. Were the issue to remain unpatched, Husain speculated it would be widely adopted by scammers using phishing campaigns.

Tap or click here to see why phishing attacks have become so widespread.

To make matters worse, Gmail and G Suite’s built-in security features make it easy for spoofed mails to be properly authenticated, which means they won’t easily be flagged as spam or malicious. This would’ve removed a major stumbling block for malicious actors.

Husain originally reported the issue to Google in April of this year, but Google apparently delayed patches past the 137-day disclosure deadline. Instead, it planned to fix the bug sometime in September.

But all that changed after Husain published her findings publicly to her blog — along with a proof-of-concept exploit code. The patches from Google were then released 7 hours later, and Google claimed it would be releasing more robust patches closer to its original timeline.

This story, just like many coming from the cybersecurity domain, proves just how valuable white-hat hackers and cybersecurity researchers are to building a safer internet.

Where are all these cyberattacks coming from? Tap or click here to find out.

What can I do to protect my Gmail account from bugs like this?

While the bug discovered by Husain would let hackers masquerade as any other Gmail user, the biggest threat comes from the fact these spoofed messages could be used to send malware or phishing links that compromise other accounts. The bug is the method of attack rather than the payload, in other words.

Thankfully, Google patched the issue.

So in light of this sort of threat, what is the best way to protect your Gmail account from hackers? Believe it or not, phishing prevention and safety tips are still your best options to make your account more secure.

1. Use 2FA to prevent unauthorized logins

Two-factor authentication, or 2FA, adds an additional layer of security to your Google account. Even if your account were to somehow become compromised, the hacker would need physical access to your smartphone in order to fully log in. Here’s how to set it up:

  1. Tap or click here to open your Google Account settings.
  2. From the left navigation panel, click on Security.
  3. From the Signing in to Google panel, click on 2-Step Verification.
  4. Click on Get started.
  5. Follow the steps that appear on the screen.

You’ll be sent a code to your phone to verify who you are whenever someone attempts to log into your account. This will finalize the process and add a much-needed extra security step to protect your account.

2. Set up recovery options if you lose your account

If a hacker gets lucky and you’re locked out of your account, the recovery options you enable will be your only way back in. Google gives you several ways to secure your account via alternate email addresses and phone numbers.

To set recovery email and phone options from your computer:

  1. Tap or click here to open your Google Account settings.
  2. From the left-hand navigation panel, click on Personal info.
  3. From the Contact info section, click on Add a recovery phone.
  4. From here, you can:
    • Add new recovery phone.
    • Change your existing recovery phone: Next to your phone number, select Edit.
    • Delete your existing recovery phone: Next to your phone number, select Delete.
  5. Follow the steps on the screen to complete your setup.
  6. Return to the Google Account settings page.
  7. From the left navigation panel, click on Personal info.
  8. From the Contact info section, click on Email.
  9. From here, you can:
    • Add a new recovery email.
    • Change or delete your existing recovery email: Next to your existing email, select Edit.
  10. Follow the steps on the screen to complete your setup.

3. Follow these phishing best practices

The back-end security features listed above will protect your account, but ultimately, it’s up to you to stay vigilant for signs of phishing and avoid getting ensnared. Here’s how:

  1. Always look at the sender field for emails to make sure the domain matches who the sender claims to be. Also, pay attention to whether or not the email addresses you generically (Dear X customer) or personally (with your name) if it claims to come from a major company or entity.
  2. Avoid clicking on any links in email messages whatsoever.
  3. Never engage with emails if you’re not familiar with who the sender is.
  4. Never download any attachments unless you’re completely sure of what they are, why they were sent, and who sent them to you.
  5. If an email asks you for any personal information (like login credentials), just ignore it.

These steps might seem obvious, but it’s important to be proactive to keep your account safe. Otherwise, you might become an unwitting accomplice in a hacking campaign without ever knowing it.

Komando Community background

Join the Komando Community!

Get even more digital know-how and entertainment within the Komando Community! Watch or listen to The Kim Komando Show on your schedule, read Kim's eBooks for free, and get answers in the Tech Forum.

Join Now