Developer Tim Cotten found a curious bug in Gmail related to how the mail client handles the “From:” header. Taking advantage of the vulnerability, an attacker can at least place an arbitrary address in the sender’s field and send a message allegedly on behalf of the company’s employee.
Cotten revealed an error when studying a case in his company when one of the employees found several letters in the Sent Items folder that she did not send. Having dug deeper, the developer found out that the letters were sent from someone else’s account and were automatically placed in the Sent Items folder by the employee. As it turned out, the “From:” field contained two addresses – the sender and the recipient. Apparently, Cotten explained, when processing the “From:” field containing the recipient’s address, Gmail sorts the message as sent, despite the fact that the message was clearly sent from another address.
The specialist informed Google about the problem. The company did not respond to the message, but the next time I tried to send an email with several addresses, the Gmail server returned an error message. Cotten slightly changed the structure of the header and found that the problem was still present. According to him, the attacker can use this opportunity to introduce malicious links. Moreover, the developer noted, any email address can be added to the header, which will hide the real sender.
The publication of information about the error led to a heated discussion that shed light on another vulnerability in Gmail, which allows you to replace the recipient’s email address. The problem was fixed in the Gmail web version, but after 19 months it is still relevant in the Android version of the client.