Bug In Gmail App for Android Allows You To Send Emails Pretending To Be Someone Else

Bug in Gmail Android app allows anyone to send spoofed emails

A security flaw in the official Gmail Android app allows anyone to open the email spoofing attacks allowing anyone to make their email look like it was sent by someone else, possibly opening doors to dangerous phishing emails and scammers.

Dubbed as Email Spoofing, it enablesย the forgery of an e-mail header so that the email appears to have originated from someone else than the actual or original source.

An attacker generally needs a working SMTP (Simple Mail Transfer Protocol) server to send email and a mailing software to spoof email addresses.

The independent security researcher Yan Zhu, who was the one to discover the flaw said that the bug only works within the regular Gmail Android app. The flaw allowed her to change her display name in the account settings so that the final recipient will not be able to know the identity of the email sender.

Zhu changed her display name to yan “”[email protected]” with an extra quotation mark and sent an email to demonstrate her finding.

โ€œ[This] extra quotes [in the display name] triggers a parsing bug in the Gmail app, which causes the real email to be invisible,โ€ Zhu told Motherboard.ย โ€œItโ€™s always been possible to spoof email envelope addresses, but spoofed emails now usually get caught by spam filters or get displayed with a warning in Gmail, With this bug, a hacker can get around these protections.โ€

When Zhu reported the issue to the Google Security team at the end of October, the experts rejected the bug report saying it is not a security vulnerability in response to her email correspondence with the internet giant.

โ€œThanks for your note, we donโ€™t consider this to be a security vulnerability,โ€ a Google Security Team member told Zhu.

At that point, Zhu decided to disclose the bug on Twitter.

Given that it only works within Androidโ€™s Gmail app, there is a low risk vulnerability. However, as spoofing an email address is surprisingly easy, spammers and phishers take advantage of it to harm people or organisation. This is exactly the scenario that Zhu put forward to Google when she notified them of the bug.

Spoofing of email envelope addresses has always been possible, but spoofed emails now usually get displayed with a warning in Gmail or get caught by spam filter, Zhu told Motherboard. A hacker can get around these protections with this bug.

Zhu shouldโ€™ve taken advantage of the vulnerability when reporting it to Google said a Twitter user jokingly.

โ€œSend the email from Sergey or Larry and tell them itโ€™s a high priority bug that they need to fix immediately, wrote Phred on Twitter. โ€œProblem solved.

However, here’s how you can protect yourself from spoofed email by following the below things:

* Turn on your Spam Filters โ€“ Spam filters and junk boxes that dump spoof emails to your junk mail are provided by almost every email service.

* Learn to Trace IP addresses and read Email message headers โ€“ It is a good practice to track down the source of spam. Open the header when you receive a suspicious email, and verify if the IP address of the sender is the same as the previous emails sent from the same person.

* Never Click on an Unfamiliar Attachment or a Suspicious Link or Download – Always keep an eye on the emails sent to you and avoid downloading email attachments or clicking links in email. Use the browser to go to your bank’s official website or other websites and log into your account to find what they want you to see.

* Keep your PC’s Antimalware Up-to-Date.

Subscribe to our newsletter

To be updated with all the latest news

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post