The three tech giants Google, Microsoft, and Yahoo have fixed a major weakness in their respective email systems that would allow spoofed messages to appear legit. On Wednesday, an advisory was published by US-CERT stating that DKIM signing keys under 1,024 bits are weak. This all started with an alleged Google recruiter sent an email to a Florida mathematician.
Zachary Harris is a 35-year-old mathematician from Florida who received an unexpected email from a Google recruiter about a possible job offer. Finding the email odd and wondering if it was spoofed, Harris noticed that it using a 512-bit key. He suspected this could be a test on Google’s part to see if the issue would be caught, and so he cracked the key and sent two spoofed emails out to Google’s founders, signing each email as being from the other person.
It turned out that it wasn’t a test, and that Harris had instead discovered a serious security flaw in the email system, which Google quietly corrected soon after the spoofed emails had been sent. With a bit of digging, it turned out that both Yahoo! and Microsoft had the same issue. According to the report at Wired, Harris also discovered sub-1,024-bit keys being used by Dell, Apple, eBay, Amazon, PayPal, Twitter, SBCGlobal, US Bank, HP, HSBC, and Match.com.
A Google spokeswoman issued a statement to Wired, stating that the company fixed the issue as soon as it surfaced, revoking the weak keys for the affected domains and pushing out ones over 1,024-bits in their place. Said Harris, “I assumed the e-mail got to some influential tech person [at Google] who looked at it and said, ‘Wait a second, how is this obviously spoofed e-mail getting through?’ And they apparently figured it out on their own.” The weakest keys Harris found in use were 384-bit, which he could crack via his laptop in 24 hours.