LASER_oneXM

Level 33
Verified
A bug in the way Gmail handles the structure of the 'From:' header could allow placing of an arbitrary email address in the sender field.
Although this issue opens the door for high-level abuse, at the very least it is possible to add the recipient's address and confuse them about the emails they sent and their content.
Touching the sender field

Software developer Tim Cotten recently investigated an incident at his company when an employee found in the Sent folder of her Gmail account some messages she did not remember sending. At a closer look, the developer discovered that "the emails had not been sent from her account, but were received from an external account and then filed in her Sent folder automatically."
The cause became apparent when looking at the 'From:' header, which showed an anomaly in its structure: it contained the sender's address along with the recipient's.
A victim falling for this trick would see PayPal's support address in the To: field of Gmail for Android when the true destination is the scammer's inbox.
"In order to exploit this vulnerability, the target user only needs to click on a malicious mailto: link," Eli Grey wrote in the initial report, following private disclosure to Google.
He also created a proof of concept that demonstrates how a scammer can steal sensitive information by tricking the victim into believing they're sending a message to a trustworthy address.