A new bug came up with Gmail which allows user to send mail without placing the sender address. It makes that mail anonymous and also a threat for obvious attempt of abuse.
Attacker can temper the 'From:' header with
random tags with <img>, <object>, <script>, which causes the
interface to display the ‘From’ field of Sender Address as blank.
Developer Tim Cotten found the Gmail is not
displaying the sender information, normally from where the user can get the
information about the sender.
According to him, when messing with a
‘Form:’ header malformed, Gmail replaces the place of the sender field with a
Blank and in the mail entry only the subject line can be seen.
Opening the email also not shows any kind
of sender details and even it remains hidden even after hovering on it. The
actions that usually gives you the user details like add to contact, scheduling
meeting, start a video chat or sending hangout message, will not help.
If you also trying replying over that mail
to get something it also does not work actually. So if you think only Gmail can
read the email headers and get the destination, again you are wrong.
Cotton writes in his blog saying, "Wrong
again! Gmail is at a complete loss at what to do!"
Going deeper into the issue Cotton felt the
issue might not with header rather the UI. Using the show original option it
displays the user friendly view to trace a mail but also the sender field
remains blank again.
Looking into raw event further, it finally
displays the source address hides at the end of the <img> tag.
This is very unfortunate, just because a
normal user unlikely can go into that depth to trace the original mail sender.
So for those user this is a high alert to get into trap of Phishers.
Cotton already reported this bugs to Google
with solution to stop forging the “From:” header by implementing anonymous
structure. But even after reporting Google about the bug, he is yet to get any
reply back.
Reference: bleepingcomputer.com
0 comments:
Post a Comment