Two vulnerabilities have recently been found in Gmail. The major concern is that the flaws allow Gmail to be used in phishing attacks, which is when cybercriminals try to impersonate known brands and people to deceive their victims.
The bugs were described by software developer Tim Cotten, who reported his findings in blog posts and also to Google.
Hiding the sender email address
One of the flaws allows a cybercriminal to forge the From field, making the sender's email address look anonymous. It means, as Cotten outlined, “a completely blank sender”.
This bug can be exploited, for example, by fraudsters who want to impersonate Google, sending emails to users regarding official and system warnings. Even a user with experience in the Gmail platform could click on a malicious link or a malicious attachment believing that it would be a legitimate message.
“By tailoring a malicious input in a certain way the Gmail app leaves the sender display completely blank both in the list view and in the detailed email view. This could be further weaponized for phishing attacks based on faking the appearance of official warnings or system messages”, said Cotten.
Falsifying the From field
The other vulnerability allows scammers to place emails into the Sent folder of their targets. Yes, you’ve never sent that email, but, even then, it will be labeled in your folder as a sent message.
As Cotten pointed out, “you can force an email to enter someone’s Gmail Inbox, Sent folder, and in:sent filter by adding their own email to the From field’s name area (the part in quotes)”.
The bug is both worrying and dangerous as users may feel tempted to confirm the emails by clicking on malicious links or even malicious attachments, which can lead to malware and ransomware infections.