Broken Access: Posting to Google private groups through any user in the group

(My main goal in this post is to show tricks for bug hunters, today I’m showing Email Spoofing)

These days I reported a bug in Google Groups to Google, but received the following response:

“Thanks for reporting! We think the issue might not be severe enough for us to track it as a security bug.”

So I decided to share this trick with you, I think it can be useful for some people.

*Remembering that the “Bug” has not been fixed.

Google Groups:

Google Groups allows you to create and participate in online forums and email-based groups with a rich experience for community conversations.

To create a group we need to fill in some information.
1- Group Name (Ex: testpocgoogle)
2- Email of the group (Ex:
3- Description of the group
And also some basic permissions (Ex: Only members of the group can post something [Standard])

When posting something in the group, all users receive feedback in the email, containing the content of the post,
in this email we also found some kind of “help” from Google groups.

Image for post
Image for post

Among them “To post to this group, send email to”

So we can: Post to the group just by sending an email to
or stop receiving notifications by sending an email to

Unauthorized posts:

Let’s cite as an example the user “elbtests acc -”, he is in the group, so he can make and comment posts.
Hacker knows that this user is in the group but does not have access to his account (Acc
Knowing that posts can be made via email, the hacker decides to try Email Spoofing.

Spoofing Email

Email spoofing is the creation of email messages with a forged sender address.

To perform this “Attack” I used the site

Image for post
Image for post

By filling in the correct information and submitting the request, the group admin will receive the post marked
as if it had been made by the actual user of the group, but with those settings I saw that she was falling into Spam.

Image for post
Image for post

Bypass the spam filter.

To make the post fall directly into the group, I used an SMTP server of my own with some more settings that they should not have on the site I used.
(like SPF and dkim with 2048 key, since 1024 usually went to spam in some tests)

[Video Demoted at the beginning of the post]

Image for post
Image for post

Now we can see that the email was not marked as spam, and was posted directly in the group by my user, and for this I just needed the email, no passwords or 2FA bypass.

And the email with the content of the post was sent to the email of the users that follow that group.

(in the video we can see a notification in the tab of gmail after the POST in the form has been sent.)

Image for post
Image for post

Additional Information:

In addition to posting, the hacker can also unsubscribe from the user in that group.
The posting made by the hacker stays in the victim’s logs if she logs in to your profile and sees your “Recent Activities” post that she did not do
will be there.
If the Admin sees the email in the Spam tab, or in the group itself and clicks ban user, the user “victim” will be banned without doing anything.
Google hides users’ email, but they can be found in your gmail when you receive feedback from posts.

Written by

Pentester , CTF player, Bug Hunter & Security Researcher \nTwitter:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store