Gmail for Android bug lets you spoof your email address to anything you want
A rather scary bug has hit the Gmail for Android app, folks. Security researcher Yan Zhu has discovered a method that’ll allow you to spoof your email address and make an email appear to be sent from any email address you want it to. The method includes using an extra quotation mark at the beginning of an email address inserted into the “display name” field, like so:
yan “”security@google.com”
Doing this would make the quoted email address come up as a typical-looking “from” link. I could make my email say From: Quentyn <webmaster@usdoj.gov> (the Department of Justice) if I wanted to.
You can already begin to imagine what some no-gooders could use this for, like tricking people into thinking they received official communication from a trusted company, person or organization. The bug was disclosed to Google last week, though the company apparently brushed it off and doesn’t consider it a security concern at all.
filed a gmail android bug that lets me fake sender email address. they said it’s not a security issue. ¯\_(ツ)_/¯
— yan⚠ (@bcrypt) November 11, 2015
This is probably because Gmail’s built-in spam filter can already detect spoofed email address, but emails that come in as a result of this particular bug apparently don’t get detected.
It may not be a security concern in the sense that it could allow someone to access your email, but it’s certainly something that should be addressed to make sure master spammers don’t abuse the method in the near future. It’s especially odd that Google decided not to look further into it considering all the noise they made about email security last week. We’ll be dropping a line into Google to see if they can shed some light on the bug and whether they have plans to eradicate it in a future update.
[via Motherboard]