Gmail bug allows you to hide the address of the sender

Vulnerabilities

Developer Tim Cotten found a bug in the Gmail user interface that allows you to hide the sender’s email address. With a certain setting, the From field remains empty both in the inbox list and when the message is opened. Attackers can use this bug in order to issue their letters for system notifications or messages from the mail service.

A week earlier, an expert published an article about another vulnerability in Gmail, which allows you to add letters to the Sent Items folder, even if a person has never sent them. According to Kotten, it gives scammers a new platform for fraud. The victim may be interested in a message that he does not remember, open it and click on the malicious link.

After that, the developer decided to check if the Gmail interface has other options for attack. He managed to find out that if you replace the <sender_email_here> element in the From: “name, recipient_email_here” field with <object>, <script> or <img>, then the sender’s field will remain completely empty. Information about who the message came from cannot be seen, even if you check detailed information or try to respond to the letter.

The necessary information can be found only by clicking on the button “Show original”. The From field remains empty again, but the address is visible at the end of the <img> tag – it was his Cotten who used for his experiment. The specialist came to the conclusion that Google saves and transforms the entire “header” of the letter, but the UX-system does not cope with it at the proper level.

As proof of their assumption, the developer gives an example. Usually, a fragment of HTML code when displaying the From field of a letter in a Gmail application looks like this:

<span class = “qu” role = “gridcell” tabindex = “- 1 ″>

<span email = “[email protected]” name = “[email protected]” data-hovercard-id = “[email protected]” class = “gD” data-hovercard-owner-id = “21 ″> [email protected] </ span>

</ span>

However, our picture is as follows:

<span class = “qu” role = “gridcell” tabindex = “- 1 ″>

<span email = “” name = “” data-hovercard-id = “” class = “gD”> </ span>

</ span>.

Cotten warns that a letter with an empty sender field can be confusing even by an experienced user. For example, if the attackers introduce themselves as support staff of one of the well-known services. Thus, criminals may try to force the victim to transfer confidential data to them or click on a  phishing link within the message.

About both of the found bugs, the researcher reported to Google, but has not yet received a response.

The search giant regularly introduces new security features. In particular, last year, Google announced the addition to the mail service of support for the technology of strict data transmission security (SMTP Strict Transport Security), which forcibly applies the HTTPS protocol when following links.

However, fraudsters are also constantly improving their methods. So, in 2017, more and more phishing sites for masking began to use HTTPS-domains, misleading users with a green lock and the presence of an SSL certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *