Security News Gmail Bugs Allow Changing From: Field and Spoofing Recipient's Address

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A bug in the way Gmail handles the structure of the 'From:' header could allow placing of an arbitrary email address in the sender field.
Although this issue opens the door for high-level abuse, at the very least it is possible to add the recipient's address and confuse them about the emails they sent and their content.
Touching the sender field

Software developer Tim Cotten recently investigated an incident at his company when an employee found in the Sent folder of her Gmail account some messages she did not remember sending. At a closer look, the developer discovered that "the emails had not been sent from her account, but were received from an external account and then filed in her Sent folder automatically."
The cause became apparent when looking at the 'From:' header, which showed an anomaly in its structure: it contained the sender's address along with the recipient's.
A victim falling for this trick would see PayPal's support address in the To: field of Gmail for Android when the true destination is the scammer's inbox.
"In order to exploit this vulnerability, the target user only needs to click on a malicious mailto: link," Eli Grey wrote in the initial report, following private disclosure to Google.
He also created a proof of concept that demonstrates how a scammer can steal sensitive information by tricking the victim into believing they're sending a message to a trustworthy address.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top