Skip to main content

Forged security certificate targets Gmail users

Gmail-SSL-DigiNotar
Image used with permission by copyright holder

A fraudulent Google security certificate has found its way onto the web, making it possible for hackers to access the accounts of Gmail users, reports CNet. The certificate is reportedly being used to target Gmail users located in Iran.

The Secure Sockets Layer (SSL) certificate was issued by Dutch security authority DigiNotar to unidentified attackers on July 10. The attackers apparently tricked DigiNotar into thinking the request for the SSL certificate was coming from Google, which prompted the security authority to release the certificate.

Armed with the SSL certificate, the attackers have been able to set up fake versions of Google websites — Gmail appears to have been the focus — which appear genuine to both users and users’ web browsers, which can detect fake websites that do not have the proper SSL certificate.

Known as a “man in the middle” (MITM) attack, this technique allowed the hackers to fool users into entering their real Gmail credentials into the fake site, giving them access to those users’ email accounts.

A Gmail user in Iran, who goes by the name “alibo” first posted the problem to the Google users forum.

“Today, when I trid to login to my Gmail account I saw a certificate warning in Chrome. I took a screenshot and I saved certificate to a file.” wrote alibo. “When I used a vpn I didn’t see any warning! I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)”

The Comodo alibo refers to was a similar case, which took place back in March. Certificate authority Comodo issued a variety of fraudulent digital certificates for sites owned by Google, Yahoo, Microsoft and others. A 21-year-old Iranian claimed to have been responsible for the attack, saying his actions were in protest of US foreign policy.

In this most recent instance, Google has so far only touted the security prowess of its Chrome browser.

“A Chrome security feature warned the user of the invalid certificate and blocked them from visiting the attacker’s site. We’re pleased that the security measures in Chrome protected the user and brought this attack to the public’s attention,” a Google spokesperson told CNet. “While we investigate, we plan to block any sites whose certificates were signed by DigiNotar.”

Mozilla also responded to the attack, saying on its blog, “Because the extent of the mis-issuance is not clear, we are releasing new versions of Firefox… shortly that will revoke trust in the DigiNotar root and protect users from this attack. We encourage all users to keep their software up-to-date by regularly applying security updates.”

DigiNotar has so far remained silent on its mistake.

UPDATE: Google’s Information Security Manager, Heather Adkins, has released an official statement on the Google online security blog. It reads:

Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it).

Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate.

To further protect the safety and privacy of our users, we plan to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also moved quickly to protect its users. This means that Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates.

To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings.

[Image via joingate/Shutterstock]

Topics
Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
Is there a Walmart Plus free trial? Get a month of free delivery
Walmart logo.

Take a moment and think about how often you shop at your local Walmart. Is it weekly? Daily? If either of those is the case, it might be time to upgrade your shopping experience. The Walmart Plus free trial is your chance to check out what the retail giant has to offer. Walmart Plus is basically Amazon Prime for Walmart. You get free shipping on most orders, early access to deals and new product drops (like PS5 restocks), the best grocery delivery, and more. If Walmart is your go-to option for the best smart home devices or the best tech products in general, you should get a membership. If you want to test out the service, you can sign up for a free trial. We have all the information you need right here.
Is there a Walmart Plus free trial?
There is a Walmart Plus free trial available, and it’s one of the best free trials we’ve seen in terms of how many great features and conveniences you’re able to access. This is really a reflection of how great the Walmart Plus service is, as the Walmart Plus free trial is essentially a 30-day experience of what it would be like to be a paid Walmart Plus subscriber. A Walmart Plus membership can help you save over $1,300 per year, so taking advantage of the 30-day free trial is a great way to get in there and see what those savings will look like. And if grocery delivery is what you're really after, an alternative you might consider is the Instacart free trial -- they have more than one program to try!

As part of a Walmart Plus free trial, you’ll get free shipping with no minimum order, so even small orders will qualify for free shipping. You’ll get fresh groceries and more with no delivery fees, and all at the same low in-store prices Walmart shoppers are used to. Walmart Plus members, and Walmart Plus free trial members, get exclusive access to special promotions and events, as well as a savings of up to 10 cents per gallon on fuel. A new addition to the perks of being a Walmart Plus member is free access to Paramount Plus, a top-notch streaming service with more than 40,000 TV episodes and movies. All of this is accessible for 30 days through a Walmart Plus free trial, and once those 30 days are up, Walmart Plus is just $8.17 per month or $98 annually.

Read more
How to deactivate your Instagram account (or delete it)
Instagram login screen.

If you’re tired of Instagram, deactivating your account could be a good option for you. With Instagram, you have two choices: You can deactivate your account, or you can delete it completely. We’ll review both options, so you can decide if you’d rather take a break or cut ties with Instagram forever. Just be cautious, as deleting your Instagram account removes all of your content permanently, and you won’t be able to get it back.

Read more
How to pin a website to the taskbar in Windows
A man sits, using a laptop running the Windows 11 operating system.

Windows includes many interesting tools, but if you’re like many people, more and more of your digital life is happening in your web browser and nowhere else. That being the case, you’ll want to keep your most important websites close at hand. The easiest way to access them in Windows is the Start menu and the taskbar, treating them more or less like programs in and of themselves.

Although easy overall, getting a website from your browser to your taskbar is slightly different depending on which browser you’re using.

Read more