Bug in Gmail Android app allows anyone to send spoofed emails

A security flaw in the official Gmail Android app allows anyone to open the email spoofing attacks allowing anyone to make their email look like it was sent by someone else, possibly opening doors to dangerous phishing emails and scammers.

Dubbed as Email Spoofing, it enables the forgery of an e-mail header so that the email appears to have originated from someone else than the actual or original source.

An attacker generally needs a working SMTP (Simple Mail Transfer Protocol) server to send email and a mailing software to spoof email addresses.

The independent security researcher Yan Zhu, who was the one to discover the flaw said that the bug only works within the regular Gmail Android app. The flaw allowed her to change her display name in the account settings so that the final recipient will not be able to know the identity of the email sender.

Zhu changed her display name to yan “”[email protected]” with an extra quotation mark and sent an email to demonstrate her finding.

“[This] extra quotes [in the display name] triggers a parsing bug in the Gmail app, which causes the real email to be invisible,” Zhu told Motherboard. “It’s always been possible to spoof email envelope addresses, but spoofed emails now usually get caught by spam filters or get displayed with a warning in Gmail, With this bug, a hacker can get around these protections.”

When Zhu reported the issue to the Google Security team at the end of October, the experts rejected the bug report saying it is not a security vulnerability in response to her email correspondence with the internet giant.

“Thanks for your note, we don’t consider this to be a security vulnerability,” a Google Security Team member told Zhu.

At that point, Zhu decided to disclose the bug on Twitter.

Given that it only works within Android’s Gmail app, there is a low risk vulnerability. However, as spoofing an email address is surprisingly easy, spammers and phishers take advantage of it to harm people or organisation. This is exactly the scenario that Zhu put forward to Google when she notified them of the bug.

Spoofing of email envelope addresses has always been possible, but spoofed emails now usually get displayed with a warning in Gmail or get caught by spam filter, Zhu told Motherboard. A hacker can get around these protections with this bug.

Zhu should’ve taken advantage of the vulnerability when reporting it to Google said a Twitter user jokingly.

“Send the email from Sergey or Larry and tell them it’s a high priority bug that they need to fix immediately, wrote Phred on Twitter. “Problem solved.

However, here’s how you can protect yourself from spoofed email by following the below things:

* Turn on your Spam Filters – Spam filters and junk boxes that dump spoof emails to your junk mail are provided by almost every email service.

* Learn to Trace IP addresses and read Email message headers – It is a good practice to track down the source of spam. Open the header when you receive a suspicious email, and verify if the IP address of the sender is the same as the previous emails sent from the same person.

* Never Click on an Unfamiliar Attachment or a Suspicious Link or Download – Always keep an eye on the emails sent to you and avoid downloading email attachments or clicking links in email. Use the browser to go to your bank’s official website or other websites and log into your account to find what they want you to see.

* Keep your PC’s Antimalware Up-to-Date.