Buzz
Sender Field Error
Recently, software developer Tim Cotton discovered an issue within his company, where the Sent folder in a female employee's Gmail account failed to retain sent emails.
Gmail Bug Allows Modification of 'From:' Field Structure
During the investigation into this Gmail issue, software developers found that emails were not sent from the female employee's account but from an external automated account.
Everything becomes clearer when observing the structure of the 'From:' field. Typically, this field includes the sender's address along with the recipient's.
However, according to the developer, it seems the 'From:' field structure has been configured to only include the recipient's address and other textual content. Gmail application reads the 'From' field to filter/organize incoming mails and spoof incoming mails as if the recipient had sent them.
Cotton reached out and reported this issue to Google but hasn't received a response yet. The developer also mentioned in another experiment, using a slightly different 'From:' structure, he found that the issue persisted. Gmail servers refused distribution to accounts with multiple addresses, suggesting the bug had been addressed.
If attackers use the recipient's address in the 'From:' field, firstly, emails will be sent and accessed in the inbox, visible to users. Subsequently, a copy in the Sent folder appears with the subject line bolded. If these signs are detected, users should exercise caution with incoming emails.
Download the Gmail app on your smartphone here.
- Download Gmail for Android
- Download Gmail for iPhone
Objective of the attacker
However, the risk level could be higher, as explained by developers, if attackers target businesses, they may seize the opportunity to distribute malicious links. Moreover, technically, attackers can add any email address to the header, amidst double quotation marks, to impersonate the sender.
The example above illustrates how user names are associated with arbitrary email addresses. While not perfect, it's sufficient for attackers to execute various tricks, such as Business Email Compromise (BEC) attacks, as attackers can send emails masquerading from responsible individual organizations or payment authorization agencies.
Flaw allowing old recipient addresses impersonation
Besides the bug discovered by software developer Cotton, Gmail previously faced an issue allowing the impersonation of recipient addresses.
The issue has been rectified on Gmail for the web platform but remains exploitable on the Android app even after nearly 19 months since Google received the bug report.
Due to incomplete validation of data in the Compose box, it's possible to create a 'mailto:' URI scheme with 2 email addresses, one including both recipient and sender names just like valid ones, as in the example below:
mailto:'[email protected]'
Victims of this trick will see PayPal's support address in the 'To:' field within the Gmail app for Android.
In the initial report after disclosing the vulnerability to Google, Eli Grey shared: 'to exploit this flaw, the target user only needs to click on the malicious mailto: link'.
Additionally, he also created and provided a proof of concept to illustrate how scammers can steal sensitive information by tricking victims into believing they are sending emails to a trustworthy address.
To secure your Gmail account, it's advisable to set up 2-step verification using your phone number, register and activate 2-step gmail security, when logging into your Gmail account on a new device, you will be prompted to enter the code sent to the phone number using the sim card you have registered.
