Hacking Gmail’s UX with from fields for phishing attacks

A glitch in Gmail could be exploited by hackers to carry out phishing attacks, the issue is related the way Gmail automatically files messages into Sent folder

A bug in Gmail could be exploited by attackers to carry out phishing attacks, the flaw ties the way Gmail automatically files messages into the “Sent” folder.

The bug that was discovered by software developer Tim Cotten, it could be exploited by an attacker to place emails into a person’s “Sent” folder, even if the person has never sent the messages.

Gmail moves an email into the Sent folder based on the address in the “from” field.

An attacker could exploit the bug by sending an email to a target, which has been specially crafted to have that target’s email address in the “from” field.

Gmail will move the email to both the target’s inbox and Sent folder.

“So it appears that by structuring the from field to contain the recipient’s address along with other text, the GMail app reads the from field for filtering/inbox organization purposes and sorts the email as though it were sent from [the recipient], despite it clearly also having the originating mailbox as [another address],” wrote the researcher.

This issue could be exploited by hackers in an attack scenario that sees it first sending a spam emails that is moved in the inbox of the target, then he will send out a follow-up email asking the victim to look back at previous messages for some reason and trick them into open something malicious.

“Imagine, for instance, the scenario where a custom email could be crafted that mimics previous emails the sender has legitimately sent out containing various links.” wrote Cotten.

“A person might, when wanting to remember what the links were, go back into their sent folder to find an example: disaster!

Don’t get me wrong, the user should still verify the details at the top of the email and might catch on that something is odd —but we know it only takes a small percentage of due-diligence failure to have a big environment effect.”

Cotten reported the findings to Google, he also cited another bug in Gmail filtering that was reported by “tekstar”:

“For example imagine Alice emails Bob and Chad, and in the ‘to:’ field for Bob she gives Bob a different name, like ‘Brad’ [but the address is still <bob@bob.com>],” tekstar said. “If Chad replies to this email, Bob will now be in his contact list as Brad. The email is still bob@bob.com but you can see how it could be malicious, or at least fodder for fun pranks.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Gmail, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.