Gmail, as we know, is a popular and commonly preferred email platform around the world. That’s why any news about a bug in this platform is bound to create chaos among users. And, that’s exactly the case this time.
Software developer Tim Cotten has discovered a bug Gmail’s ‘From:’ header structure that can allow the addition of an arbitrary email address in the sender field. Thus, the bug can lead to ‘high-level abuse’, Cotton explains. The bug makes it easy to add the recipient’s address and trick them about the content of their sent emails.
According to Cotton’s blog post, the bug works in such a way that these emails get placed into the “Sent folder” even if the person hasn’t ever sent them. Cotten believes that this bug would give scammers and phishers a new platform to exploit and target unsuspecting users. They can be tricked into opening malicious links or clicking on rogue attachments.
Basically, Gmail files an email in the Sent folder on the basis of the address mentioned in the From field. Therefore, if an attacker sends an email that has been designed with the target’s email address in the From field, it will automatically land both in the target’s Inbox and Sent folders. This will make the users think that the email has been sent by them. Cotton explains:
“By structuring the from the field to contain the recipient’s address along with other text, the GMail app reads the from field for filtering/inbox organization purposes and sorts the email as though it was sent from [the recipient], despite it clearly also having the originating mailbox as [another address],” said Cotten.
Scammers can benefit greatly from this bug. Spam emails are usually filtered out but the ones in the Sent folder always remain. Hence, an attacker can choose to send a follow-up email asking the target to check the previous correspondence to find some information. Once the user opens the email, it is quite possible that they click on a malicious link. This bug offers an “open door” to malicious threat actors.
“Imagine, for instance, the scenario where a custom email could be crafted that mimics previous emails the sender has legitimately sent out containing various links. A person might, when wanting to remember what the links were, go back into their sent folder to find an example: disaster!” Cotten explained.
Another important feature of this trick is that after the email is placed in the Sent folder, it is made to look like it has already been read or opened like other messages in the folder. The subject, however, appears bolded.
Cotton identified the issue after one of the company employees identified some messages in her Gmail account’s Sent folder that she never sent. After looking closely, Cotton realized that the emails have been received from an external account and placed in the Sent folder.
Gmail has been notified about the findings by Cotton but so far he hasn’t received any response. For additional technical details follow Cotten’s blog post.