惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

U
Unit 42
N
News and Events Feed by Topic
S
Schneier on Security
G
GRAHAM CLULEY
Scott Helme
Scott Helme
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
GbyAI
GbyAI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
C
CERT Recently Published Vulnerability Notes
T
The Exploit Database - CXSecurity.com
C
Cisco Blogs
T
The Blog of Author Tim Ferriss
Cisco Talos Blog
Cisco Talos Blog
P
Privacy & Cybersecurity Law Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
博客园 - 司徒正美
Blog — PlanetScale
Blog — PlanetScale
Project Zero
Project Zero
MyScale Blog
MyScale Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Apple Machine Learning Research
Apple Machine Learning Research
小众软件
小众软件
The Last Watchdog
The Last Watchdog
Vercel News
Vercel News
The Cloudflare Blog
C
Check Point Blog
Help Net Security
Help Net Security
Microsoft Security Blog
Microsoft Security Blog
AI
AI
Simon Willison's Weblog
Simon Willison's Weblog
云风的 BLOG
云风的 BLOG
M
MIT News - Artificial intelligence
Stack Overflow Blog
Stack Overflow Blog
腾讯CDC
NISL@THU
NISL@THU
S
Security @ Cisco Blogs
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
S
SegmentFault 最新的问题
MongoDB | Blog
MongoDB | Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Threatpost
AWS News Blog
AWS News Blog
Cloudbric
Cloudbric
N
News and Events Feed by Topic
PCI Perspectives
PCI Perspectives
S
Securelist
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V
Vulnerabilities – Threatpost
S
Secure Thoughts

Forbes - Consumer Tech

This Unhackable Quantum Navigation System Is The Size Of A Loaf Of Bread Apple At 50 — A Leadership Shift And An AR Future We Are Under-Investing In Robotics ... 90% Of Humanoid Robots Are Made In China Ditch The Apple White: Beats Expands Colorful Cable Line-Up With New 10-Foot Option Satechi’s New ChargeView 140W Desktop GaN Charger With Real-Time Display The Hasselblad In Your Pocket: Oppo’s Find X9 Ultra Challenges The Galaxy S26 Ultra There's No Such Thing As Brain Honey How AI Agents Could Rebuild Fashion’s Visual Production Layer QClaw Goes Global. The Agent Built Itself In 5 Days Apple’s Tim Cook Exit Hides A $4 Trillion Agentic AI Power Move EZQuest Reveals A New Line Of Pro Series USB-C Hubs For MacBook Neo Samsung Galaxy Z TriFold 2 Already In The Works, Report Claims Apple Revealed New Siri Release Date For iPhone, Latest Report Claims How Arcani’s HARK Is Designed For Modern Battlefield Acoustics The Newest Trend In Tech Embraces Femininity And Fun Samsung’s 75R95H Ushers In A New World Of LCD TVs New Apple iPhone Fold Design Pushes Smartphone Rivals To Go Wider And Taller iPhone 18 Pro Report: Four New Colors Leak As Apple Cancels Popular Shade Nothing’s Design-Led Strategy: Carl Pei Reveals The Tech Brand’s Philosophy iOS 26.5 Release Date: When To Expect Your iPhone Messaging Upgrade Google Pixel And Highsnobiety Build A Talent Pipeline For Fashion Android Circuit: Samsung Raises Galaxy Prices, Oppo Pad Mini Teased, Microsoft Closing Outlook App Apple Loop: iPhone Fold Launch Dates, iPad Air Upgrade, iPhone 18 Pro Specs Comcast $117.5 Million Breach Settlement — Are You Eligible? Amazfit Cheetah 2 Pro Takes Aim At The Garmin Audience Disney’s Launches ‘Infinity Vision’ Certification For Premium Theaters SoundPeats Reveals New Air6 HS Semi-Open Wireless Earbuds Amazon’s $11.57 Billion Leap Into Space: A Challenge To Starlink Meta Quest 3 Hit With $100 Price Increase Backblaze Stops Backing Up Dropbox And Others—Calls It An Improvement ‘Technically Hard To Do’: Why Samsung’s Galaxy S26 Ultra Privacy Display Is A Global First Ulanzi Launches D200X Creative Deck To Challenge Logitech And Elgato Plugable’s New 10-In-1 USB-C Hub Has Most Of The Ports You’ll Need AI Solved A Mathematical Problem That Had Stumped The World’s Best Minds For Decades RØDE Announces A Slew Of New Podcasting Innovations At NAB 2026 Samsung SmartThings Gets Smarter, Safer And More Personal Apple Announces Events In Run-Up To TCS London Marathon Apple Now Largest Smartphone Maker. Also, Samsung Now Largest Universal Announces 8-Movie ‘Steven Spielberg: The Spotlight Collection’ 4K Blu-Ray Boxset Denon Unveils Versatile New Living Room AV Receiver Google Android PIN Hackers Target 800 Apps During Attack Surge Canva AI 2.0 Launches With New Features And Conversational AI Govee’s New $450 Lightwall Brings RGBIC Effects Indoors And Out New Garmin Watch Is One Of The Most Expensive Yet The One Catch To Samsung’s New AirDrop-Style Sharing On Galaxy S26 World-First: Humanoid Robot On Live Industrial-Scale Electronics Production Line Cadence Teams With Nvidia And Google To Redefine AI System Engineering Dolby Files Lawsuit Against Barco Over HDR Patents Apple To Bring Major Upgrade To iPad Air In Months, Report Claims iPhone Setting Update—Stop FBI From Accessing Deleted Signal Messages GoPro Mission 1 Levels Up Action Cameras But One Mystery Remains Adobe Brings Chat To Firefly AI Assistant Across Creative Cloud Apps Sky Eyes Up Ring With Standalone Smart Home Launch Orico’s New X50 Thunderbolt 5 Compatible Enclosure Offers High-Speed Fanless Storage How 2,000 Tons Of Sand Stores 100 Megawatt-Hours And Slashes Carbon Emissions 70% iPhone’s Hidden Strength In The Rush To Wide Foldable Smartphones New Samsung Galaxy Price Shock Is Bad News For 2026 Buyers Can The Power Of AI Help You To Chat With Your Cat? Inside China’s Push To Build Birdlike Drones Sky Glass Air All-In-One Budget TV With Seamless Access To Sky Channels Booking.com Confirms Data Breach, Reservation PIN Codes Changed Google, DressX And The New Fashion AI Virtual Try-On Stack Why Major News Sites Are Blocking The Internet Archive’s Wayback Machine iPhone Fold Release Date: New Report Details Frustrating Apple News Humanoid Robots’ 88% Fail Rate: Completing Home Tasks Why Your Next Smartphone Could Have Lower Specs And A Higher Price Apple iPhone Fold: Striking Design Revealed In Leaked Photos Here’s The Most Affordable Humanoid Robot You Can Buy Now Samsung’s Disappointing Price Update For Galaxy Phone Buyers Is It Time For Apple To Forget About The MacBook Air Oura Has Designed A Solution To A Big Smart Ring Problem Apple iPhone Fold: Striking Design Revealed In Leaked Photos Adobe Attacks Underway—Windows And Mac Users Given 72 Hours To Update iOS 26.4.1 Release: Crucial iPhone Feature Update Arrives, But No Security Fix Can’t Stand Liquid Glass? This New Hidden iPhone Setting Is A Game-Changer Android Circuit: Galaxy S27 Pro Emerges, Honor 600 Pre-Order Offers, Pixel 11 Display Leaks Apple Loop: iPhone 18 Pro Leak, Urgent iOS Update, MacBook Neo Issues The Costly Dream Of Space-Based AI Infrastructure Adobe Attacks Underway—Windows And Mac Users Given 72 Hours To Update New Google Security Warning For Android 14, 15 And 16 Users—Update Now Fosi Launches CD Player With Built-In DAC And Headphone Amplifier The Shift From Place To Performance In Workplace Design Dyson Just Launched A $99 Gadget: Meet The HushJet Mini Cool Fan Apple iOS 26.4.1 Unexpected New iPhone Software: Should You Upgrade? LG Announces All U.K. And Some U.S. Pricing For Its 2026 TV Range Google Brings New 2FA Bypass Protection To Chrome For Windows Users iOS 26.4.1 Release: Crucial iPhone Feature Update Arrives, But No Security Fix SiFive's $400M Round Signals A RISC-V Moment In AI Data Centers Google Issues Critical Update Alert For 3.5 Billion Chrome Users Apple Vision Pro Gets A Major Gaming Upgrade Disney Announces ‘Alice In Wonderland’ 4K Blu-Ray, Featuring An All-New 4K Restoration Surprise Galaxy S27 Leak Gives Samsung New Options Aqara Thermostat Hub W200: Matter Controller With Smart Heating Skills Now On Sale AI Transformation: No-One’s At The Wheel, Says 500-Company Study Insta360 Launches Screen For Taking Selfies With A Phone’s Rear Camera Apple iPhone Fold Gets New Release And Screen Confirmation Angry Hacker Drops Microsoft Zero-Day Exploit, 1 Billion Users Warned Artemis II Just Dropped Stunning Wallpapers For Your Phone Or PC New Amazon Hack Attack—Alert For 300 Million Users Apple’s 2026 Shake-Up: iPhone 18 Pro Leaks While iPhone Fold Steals The Show
‘Significant Threat’—Billions Of Gmail Users At Risk From Google Security Gaffe
Davey Winder · 2026-05-12 · via Forbes - Consumer Tech
Gmail logo on smartphone, with Google logo displayed in the background of image.

Google security flaw is a significant threat to nearly all Gmail users.

CFOTO/Future Publishing via Getty Images

Updated May 12: This article, orginally published May 11, which revealed a critical flaw in the integration between Gmail and Google Drive that poses a significant security threat to nearly everyone who uses a Gmail account, has now been updated to include details of a second security discrepancy uncovered by the same researcher, this time concerning a circumvention of Google Drive’s dangerous files protection warnings. Here’s everything you need to know about both security issues, along with advice on how billions of Gmail users can stay safe.

According to Blake Barnes, Google’s own vice president of product for Gmail, “3 billion users rely on Gmail to connect and get things done,” while Google Drive has an estimated one billion active users. I can exclusively reveal that an architectural flaw in the integration between the two services poses a significant security threat to “nearly every individual with a Gmail account.” A new report has confirmed, with a proof of concept, that attackers can leverage Gmail and Google Drive as a high-trust malware delivery infrastructure by delivering malicious attachments that receive a misleading and dangerous “scanned by Gmail” seal of approval. Here’s everything you need to know, including the response from Google itself.

ForbesGoogle Play ‘Call History For Any Phone Number’ Scam Cons MillionsBy Davey Winder

Scanned By Gmail Doesn’t Provide The Attachment Security You Might Think It Does

The most popular free web service on the planet, Gmail, has a lot of security positives. And, oh boy, does it need them as it is under persistent attack from hackers and scammers alike. Thankfully, both Gmail and Google Drive have mechanisms in place to prevent them from being used to distribute the type of malicious files often used in such attacks. However, as Ben Ilkashi, a security researcher at Pentera Labs, exclusively shared with me, it is possible for an attacker to exploit these to devastating effect. “What if I told you that you could trick a machine into displaying your malicious attachment as completely safe?” Ilkashi said. “What if I told you that you could get Google itself to sign off on your phishing payload and effectively achieve the holy grail of phishing attacks?” That grail is absolute and unquestioned credibility. Trust on steroids, if you like.

Ilkashi’s research, now published by Pentera Labs following a 90-day responsible disclosure period, has highlighted an architectural misalignment within Google’s unified security framework that enables malware that is “otherwise explicitly blocked by Gmail’s attachments scanner” to be hosted on Drive and delivered to recipients alongside a “Scanned by Gmail” label of trust. First reported through the Google Bug Hunters program on December 14, 2025, Google confirmed that it was a duplicate of an “internally tracked issue.” On January 22, Google’s Trust and Safety unit confirmed that “no fix timeline was available,” according to Ilkashi, and the decision regarding disclosure timing was up to Pentera Labs.

MORE FOR YOU

ForbesCritical New Google Update—127 Chrome Security Vulnerabilities ConfirmedBy Davey Winder

Google’s Serious Gmail And Drive Security Gaffe Explained

This serious Google security gaffe came to light when Ilkashi was initially researching the malicious use of Scalable Vector Graphics as a phishing campaign payload. “As part of my payloads testing against popular providers,” Ilkashi explained, “I encountered an attachment block in Gmail.’ This was accompanied by a ‘virus detected’ label when attaching the file, and Gmail prevented the payload from being sent. Google Drive also has a scanning mechanism marking malicious files as ‘Flagged for abuse’ and preventing anyone aside from the author from being able to download them, alongside a warning interstitial that alerts users before downloading potentially harmful file types. That’s the good news, and you know what’s coming next, don’t you?

The bad news is that Ilkashi was able to send a malicious SVG sample, already flagged by Gmail as ‘virus detected’ and blocked from being sent as a result, by using Google Drive as a hosting platform. “Contrary to Gmail’s detection,” Ilkashi explained, “Google Drive did not classify this file as malicious.” Yes, you read that right: despite already being flagged as a virus, Gmail’s own Drive attachments feature allowed it to be uploaded to Drive and configured to be accessible to anyone possessing the share link. This is an architectural misalignment between the scanning mechanisms, and it’s something that poses a danger to almost all users of Gmail as a result. A new email could be composed, including a now-known-to-be-malicious file link from Drive, but Gmail did not scan it again and instead just sent it as if nothing was wrong. Complete with a misleading scanned by Gmail label.

Do not trust the 'Scanned by Gmail' assurance.

Pentera Labs

The issue appears to be that Gmail grants implicit trust to files that originate from Google Drive, assuming that because it is within the internal ecosystem other is pre-vetted and, as such, Gmail then bypasses its standard verification steps “allowing the malicious payload to inherit the 'safe' status of its storage
container,” Ilkishi said.

Google Drive’s Incomplete Scan Warning Circumvention For ‘Blocked By Gmail’ File

Amazingly, considering that this is the first published research report from Ilkashi, he managed to find not one but two problems that are worthy of serious attention. Explaining that his curiosity, having discovered the “Scanned by Gmail” vulnerability, had peaked and led to the pondering of whether other issues existed within the Google Drive and Gmail service integration, Ilkashi wondered “what would happen if a payload was not detected as a virus by Gmail.” It’s worth a little bit of background here, in that an executable not detected as a virus is “Blocked for security reasons” in Gmail, with Google stating that a recipient can ask the sender to upload the file to Drive “if you’re sure it is safe” and then “send it as a Drive attachment.”

Ilkashi said this got him thinking about what would happen if Google Drive couldn’t label your malware as “Flagged for abuse” after an incomplete scan, for example. Drive will then display another warning pop-up stating it cannot be scanned for viruses or that the file type might be dangerous, and offering an option to download it anyway. “This warning message is crucial because it indicates an incomplete scan of the file by Google,” Ilkashi said, “a circumstance that significantly increases the user's risk upon downloading and executing it.” But what if that warning could be bypassed?

Here we go again. A malicious sample was created that wasn’t recognized as known malware by either Gmail or Drive. The sample was duly labeled by Gmail as “Blocked for security reasons” rather than Virus detected”, but when uploaded to Drive was not labeled as “Flagged for abuse,” Ilkashi reported. So he then attached the share link to an email and sent it, only for this to once again be “ presented as an attachment,” and accompanied by the "Scanned by Gmail" label. The expected warning was completely missing, and Ilkashi said that he could “download the file in Gmail’s endpoint (mail.google.com) directly from the email and from the file preview, without any warning page or popup.” Opening the link itself, and Athen attempting to download the file from Drive directly, however, did display the expected warning screen.

Ilkashi concluded that this represented a flaw within the implementation of the Google Drive file download mechanism within Gmail’s endpoint, ultimately enabling unwary users to download files that had not been appropriately scanned and without triggering Google’s safety warnings. “This finding reinforces the fact that Gmail’s and Drive’s file handling mechanisms are not aligned,” Ilkashi warned, “This misalignment allows attackers to identify gaps, such as those presented in this article, and exploit them so that Google’s services effectively serve as a convincing and trustworthy delivery infrastructure.”

Google Responds To Gmail Attachment Security Disclosure

“We have demonstrated two distinct logic flaws,” Ilkashi said, “each undermining a different security mechanism, suggesting that further security issues can possibly arise, due to the inherent complexity and the implicit trust in the integrated
architecture of Google Workspace services.”

I reached out to Google, and a spokesperson provided the following statement: "Protecting Google Workspace users is our top priority. Gmail and Google Drive automatically block the vast majority of malicious files—including dangerous executable attachments—before they can ever reach an inbox." However, as the Pentera Labs research, along with a fully working proof of concept, shows, this simply isn’t good enough when attackers are able to exploit user trust and disguise malicious payloads behind the “Scanned by Gmail’ facade of legitimacy.

ForbesMy Password Has Been Stolen—What Happens Next?By Davey Winder

Google has said it is actively updating the user interface to clarify how safety checks are displayed when files are shared via Google Drive links, giving users a clear and accurate security context at all times. Google also said that Gmail’s “built-in defenses successfully prevent users from sending or receiving dangerous file types, such as executables, as direct email attachments,” stating that “this fundamental security boundary has not changed and remains fully operational.”

Google told me that Gmail proactively displays prominent, red warning banners to alert users if they receive a message containing a link that is later determined to point to a potentially suspicious or un-scanned file. Furthermore, while Google Drive allows users to upload files to their personal storage, it employs robust automated scanning to detect malware and block users from downloading or sharing infected files to prevent device compromise. Google also reiterated that it regularly works with the broader cybersecurity research community to identify opportunities to refine its protections and is appreciative of their contributions to a secure ecosystem.

Which is great, apart from the fact that the issue as outlined by Ilkashi and Pentera Labs remains exploitable. The proof of concept is valid, and I have seen this in action myself, it utilized a crafted ransomware executable that employs an xor-based encryption as a payload. “For the purpose of this demonstration,” Ilkashi said, “the ransomware will search and encrypt a file called encrypt-me.txt in the same directory. However, this could be easily modified to initiate an infinite end-to-end attack vector, utilizing Google's products as a credible delivery mechanism.”

This “is not an isolated or theoretical edge case, but a reproducible architectural gap,” Ilkishi warned, adding that if it can be discovered through security analysis, “it can also be identified and leveraged by motivated adversaries.” Until Google addresses this security flaw, all Gmail users are advised to treat emails containing Google Drive links or attachments as potentially dangerous, regardless of any “Scanned by Gmail” label.