Bug In Gmail App for Android Allows You To Send Emails Pretending To Be Someone Else

Bug in Gmail Android app allows anyone to send spoofed emails

A security flaw in the official Gmail Android app allows anyone to open the email spoofing attacks allowing anyone to make their email look like it was sent by someone else, possibly opening doors to dangerous phishing emails and scammers.

Dubbed as Email Spoofing, it enables the forgery of an e-mail header so that the email appears to have originated from someone else than the actual or original source.

An attacker generally needs a working SMTP (Simple Mail Transfer Protocol) server to send email and a mailing software to spoof email addresses.

The independent security researcher Yan Zhu, who was the one to discover the flaw said that the bug only works within the regular Gmail Android app. The flaw allowed her to change her display name in the account settings so that the final recipient will not be able to know the identity of the email sender.

Zhu changed her display name to yan “”security@google.com” with an extra quotation mark and sent an email to demonstrate her finding.

“[This] extra quotes [in the display name] triggers a parsing bug in the Gmail app, which causes the real email to be invisible,” Zhu told Motherboard. “It’s always been possible to spoof email envelope addresses, but spoofed emails now usually get caught by spam filters or get displayed with a warning in Gmail, With this bug, a hacker can get around these protections.”

When Zhu reported the issue to the Google Security team at the end of October, the experts rejected the bug report saying it is not a security vulnerability in response to her email correspondence with the internet giant.

“Thanks for your note, we don’t consider this to be a security vulnerability,” a Google Security Team member told Zhu.

At that point, Zhu decided to disclose the bug on Twitter.

Given that it only works within Android’s Gmail app, there is a low risk vulnerability. However, as spoofing an email address is surprisingly easy, spammers and phishers take advantage of it to harm people or organisation. This is exactly the scenario that Zhu put forward to Google when she notified them of the bug.

Spoofing of email envelope addresses has always been possible, but spoofed emails now usually get displayed with a warning in Gmail or get caught by spam filter, Zhu told Motherboard. A hacker can get around these protections with this bug.

Zhu should’ve taken advantage of the vulnerability when reporting it to Google said a Twitter user jokingly.

“Send the email from Sergey or Larry and tell them it’s a high priority bug that they need to fix immediately, wrote Phred on Twitter. “Problem solved.

However, here’s how you can protect yourself from spoofed email by following the below things:

* Turn on your Spam Filters – Spam filters and junk boxes that dump spoof emails to your junk mail are provided by almost every email service.

* Learn to Trace IP addresses and read Email message headers – It is a good practice to track down the source of spam. Open the header when you receive a suspicious email, and verify if the IP address of the sender is the same as the previous emails sent from the same person.

* Never Click on an Unfamiliar Attachment or a Suspicious Link or Download – Always keep an eye on the emails sent to you and avoid downloading email attachments or clicking links in email. Use the browser to go to your bank’s official website or other websites and log into your account to find what they want you to see.

* Keep your PC’s Antimalware Up-to-Date.

1 COMMENT

  1. Yea, this is definitely a low risk vulnerability, since it assumes the recipient uses both gmail and an Android phone with the gmail app. Viewing the email through a browser will reveal that the sender’s info is yan “”security@google.com”

    This article implies that the actual headers are modified, but they’re not really. As mentioned, the gmail app’s parser just doesn’t parse the sender email properly, but this only happens on the received email, not when it’s sent. Hitting reply to the email will reveal the actual account used to send it.

    The article suggests reading headers and other info, which from what I’ve found is not available in the actual app. Since the user has to log into a browser to view the headers, the user should discover that the sender has epically failed to trick anyone.

LEAVE A REPLY

Please enter your comment!
Please enter your name here