Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
shenbomo 2 days ago

Why DKIM signature doesn't include the content of the email too?

seszett 2 days ago | parent | next [-]

It does. It's not obvious from the writing but Google actually sent this email to the attacker (which then redirected it mostly unchanged except for the To: header).

The main content of the email is text used for the "App Name" field of the attacker's OAuth app. This explains why the screenshot of the email actually does look weird, with unlinked URLs and weird formatting.

I'm pretty sure there is a lot more at the end of the email that makes it obvious it's not legitimate. But then I also understand how quite a few people wouldn't even get to the end.

aaronmdjones 2 days ago | parent [-]

The attacker did not change the To: header. This would invalidate the DKIM signature and result in a DMARC fail and the message landing in Spam (or being rejected).

You can receive e-mail with a To: header saying anything. It doesn't have to be you.

asimpletune 2 days ago | parent | prev [-]

I don’t think the content was modified. If it had been then the signature would have been invalidated. The attacker found a way to send themself an email from Google that the author later replicated using Google workspace + a Google OAuth app. Then they replayed that because Google isn’t signing the “to” field.

jorams 2 days ago | parent [-]

> Then they replayed that because Google isn’t signing the “to” field.

Google is signing the To field (at least on all email they send me). The attacker didn't change that either, as displayed in the screenshots in the article. The attacker took an email legitimately sent from Google to them, then redirected it to the victim.

An equivalent real-world mail scenario would be me taking a letter from my bank to me, putting it in a new envelope, then sending it to you. Then your assistant takes it out of the envelope and puts it into your inbox. The letter in your inbox is a completely valid letter from said bank, intended for me.

There's two things in this article Google does badly: Allowing free input of an app name and putting it directly at the top of an email they send without preceding it with an indication what the email is about, and hosting user-managed websites on a subdomain of google.com.