[UPDATE: Google’s Statement] Scary Gmail Bug Lets Anyone Send Anonymous Mails

Update: Google reached out to us through a Cloud spokesperson who works with the security team. “We will be rolling out fixes to address these issues. It’s important to note that these issues do not impact Gmail’s phishing protections, such as those that prevent more than 99.9% of spam and phishing emails from reaching users’ inboxes and warnings that pop up when composing a reply to an unfamiliar recipient,” the company’s statement said.

Gmail is the most commonly used email platform in the world, which makes it a hunting ground for hackerslooking to trick peopleinto doling out their personal, sensitive info. A new bug has now been discovered in Gmail, which can allow hackers to send emails anonymously and trap users into phishing attacks.

As discovered by software developer Tim Cotten,who first reported it last week, a major vulnerability in the platform’s UX allows anyone to forge the ‘From’ sender’s address and leave it empty. He’s aptly termed it as“ghost emails”that reach the recipient without informing them of the sender.

Cottenfound this vulnerability bysubstituting a portion of textin the From: ‘name, recipient_email_here <sender_email_here>’ test case with large and arbitrary tags, such as an  or  or  HTML tag. Gmail didn’t raise any red flags when he hit send, but therecipient received an email with an alarming subject and no sender info– neither in their inbox nor within the conversation. Even hitting the reply button doesn’t show the sender’s info under the ‘To’ section because that data has been tweaked with an tag.

Well, the sender info is certainly there as the email has reached its destination, but it is hidden in the original text. Gmail was able to preserve and parse the sender details, but they couldn’t be displayed in the UI due to the unusual length of the string.

In his Medium post, Cotten talks about malicious intent and adds that“without the sender information, there this (the mail without a sender) looks completely legitimate and a well-educated user could easily be suckered into compromising their own account.”Ahacker could make you believe it’s a genuine email, thus, coaxing you into clicking the false link.

This vulnerability has already been reported to Gmail and the team would’ve start work towards fixing the same. Still, we would suggest you keep an eye out for emails with an empty sender’s address.

Anmol

Getting my start with technology journalism back in 2016, I have been working in the industry for over 7 years. Currently, as the Editor of Beebom, I’m leading the coverage on the website. While my expertise lies in Android, Windows, and the apps world, find me reading manga, watching anime, and playing Apex in my free time.

Add new comment

Name

Email ID

Δ

01

02

03

04

05