A Gmail flaw has been discovered that allows emails to be sent anonymously with no information included in the sender field. The flaw could easily be exploited by cybercriminals for use in phishing attacks.
Phishers often mask the sender of an email in phishing campaigns to fool the recipient into believing the email is genuine. The sender’s email address can be spoofed so the displayed name appears to be a known contact or well-known institution. However, if there is no information in the from field, many end users could be fooled into thinking the email has come from a legitimate source.
The vulnerability was discovered by software developer Tim Cotton. It is the second Gmail flaw he has found in the past few days. The first Gmail flaw would allow an attacker to send a message directly to a user’s sent folder, potentially bypassing inbox anti-spam protections. The flaw could be exploited to make a user think that they have previously sent a message.
The flaw is present in how Gmail sorts emails. If the account holder’s name is in the from field, the message will automatically routed to the sent folder. If an attacker was then to send a normal email to the same user, which referred to a previous message they had received, the user could be lured into checking the message in the sent folder and may open an attachment or click on a embedded hyperlink.
The latest Gmail flaw is similar to the first. Cotton discovered that if a recipient’s name is paired with an arbitrary tag such as <img> or <object> that included a malformed image, the sender name would remain blank. Using this tactic, even if the recipient clicks on reply, no sender’s name will appear. Even using the Show Original function, the sender’s name was not displayed.
According to Cotton, “It was the combination of the quoted alias, a preceding word, space and the long base64, [and] badly encoded img tag.” While the header was preserved and parsed, the Gmail UX could not handle it and returned a blank field.
Both flaws have been reported to Google, but so far, they have not been corrected.