Can a User Spoof the Google Authenticated Domain for a Gmail account?

220 views Asked by At

I am using OAuth for my ASP.Net, Web-Pages (with C#) site, which will one day be a public site. Within this public site, there is a partial CMS implemented where only users with employee emails (i.e. emails from our company domain only, say, "ourcomp.net") should be allowed to register. Our company's domain/email is managed through Gmail.

I have set up OAuth (Google only) for login and it works great, but I was wondering how secure it is that I am currently checking the last part of the email address string, upon registration, for our company's domain, like this:

var result = OAuthWebSecurity.VerifyAuthentication(Href("~/Account/RegisterService", new { returnUrl }));

if (result.IsSuccessful)
{
    bool registered = OAuthWebSecurity.Login(result.Provider, result.ProviderUserId, createPersistentCookie: false);

    if (registered)
    {
        Context.RedirectLocal(returnUrl);
        return;
    }

    email = result.UserName;

    if (!EmailValidator.IsEmailAdress(email)) //Simple Regex to check email string.
    {
        errorMessage = "The email address supplied was not a valid email address. ";
        errorMessage += "Please return to the main page and try again. If the problem ";
        errorMessage += "persists, please notify a site administrator for help.<br/><br/>";
        errorMessage += "<a class=\"retreatLink\" href=\"/\">Main Page</a>";
    }

    if (!email.EndsWith("@ourcomp.net")) //**THIS IS THE PART IN QUESTION**
    {
        errorMessage = "Your email address was valid, however, it seems that it's ";
        errorMessage += "not a \"City of Okmulgee\" email address. Please ensure that ";
        errorMessage += "your email address is part of the \"@ourcomp.net\" domain.<br/><br/>";
        errorMessage += "If you are having trouble changing your email address ";
        errorMessage += "try visiting Google's <a href=\"https://mail.google.com\">Gmail</a> ";
        errorMessage += "page and logging out. After you have logged out of gmail, revisit ";
        errorMessage += "the <a href=\"/\">main page</a> and click the ";
        errorMessage += "\"Log-in!\" button again. Then, when prompted by Gmail services, ";
        errorMessage += "log back in using a valid \"ourcomp.net\" email address.<br/><br/>";
        errorMessage += "For more help visit <a href=\"https://support.google.com/mail/answer/8154?hl=en\">";
        errorMessage += "Gmail Help</a> for quick steps on how to log-out of your Gmail account.";
    }
}

More code/security goes on from here, but I think I have provided enough for this question (please let me know, if not). Is there a way for a random public user to "spoof" their domain, thus passing my if (!email.EndsWith("@ourcomp.net")) check, while not actually being a member of our company's domain? I know there are ways that someone can send email with whatever email address they want, but I wouldn't expect they could "sign in" to Google this way, right?. I need to know so that I know whether I need to lock all new accounts until reviewed or not (or possibly other approaches).

Please forgive my lack of knowledge with OAuth and Google authentication, I'm still pretty new to this part of ASP.Net, and to no surprise, I wasn't able to find anything on this online.

0

There are 0 answers