Gmail Glitch Enables Anonymous Messages in Phishing Attacks

A glitch in the UX in Gmail allows the “from” field to be forged so there is no sender listed in the email’s header.

A Gmail bug has been discovered that allows a hacker to tinker with the “from” header in an email and ultimately leave the sender display blank, rendering the email anonymous. The trick could be weaponized for phishing attacks that purport to be official warnings or system messages.

Software developer Tim Cotten, who last week discovered a similar glitch in Gmail, said in a Friday post that a vulnerability in Gmail’s UX allows the “From” field to be forged; and aptly-dubbed “ghost” emails to be subsequently sent.

To pull off the trick, Cotten said he input the recipient’s email in the “from” header (“name, recipient_email_here”) and paired it with a large and arbitrary tag, like <object>, <script> or <img>.

“This is a derivative of the previous bug… that can serve as a phishing vector,” Cotten told Threatpost. “The email sender comes out blank after you put a malformed image data in the front field.”

The result was an email lacking a sender. Even when Cotten hit “reply” on the message, no sender’s name popped up on the reply message.

Even under the “Show Original” parameter for the email message (which can be reached via the drop down tag on the sent email) he still could not see a sender’s name in the “from” field.

However, further down in the actual text he was able to see the fuzzing test case using the <img> tag.

“It was the combination of the quoted alias, a preceding word, space and the long base64, badly encoded img tag (note the misspelling),” said Cotton. “As you can see, the header itself was preserved and parsed by Google, but the UX simply can’t handle it.”

The Gmail glitch may seem harmless – but it could be easily harnessed by bad actors crafting messages purporting to be official warnings or system messages — these often come without the “from” title attached to them.

The spoofed “Ghost” email

“Without the sender information there this looks completely legitimate, and a well-educated user could easily be suckered into compromising their own account,” said Cotten.

Cotten has reported both this bug and his previously-discovered Gmail glitch to Google – the company has not responded nor has it fixed either bug. Google meanwhile did not respond to a request for comment from Threatpost on the matter.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.