November 20, 2018

The new Gmail bug allows sending emails anonymously

A new bug came up with Gmail which allows user to send mail without placing the sender address. It makes that mail anonymous and also a threat for obvious attempt of abuse. 

Attacker can temper the 'From:' header with random tags with <img>, <object>, <script>, which causes the interface to display the ‘From’ field of Sender Address as blank.

Developer Tim Cotten found the Gmail is not displaying the sender information, normally from where the user can get the information about the sender. 

According to him, when messing with a ‘Form:’ header malformed, Gmail replaces the place of the sender field with a Blank and in the mail entry only the subject line can be seen.

Opening the email also not shows any kind of sender details and even it remains hidden even after hovering on it. The actions that usually gives you the user details like add to contact, scheduling meeting, start a video chat or sending hangout message, will not help.

If you also trying replying over that mail to get something it also does not work actually. So if you think only Gmail can read the email headers and get the destination, again you are wrong.
Cotton writes in his blog saying, "Wrong again! Gmail is at a complete loss at what to do!"

Going deeper into the issue Cotton felt the issue might not with header rather the UI. Using the show original option it displays the user friendly view to trace a mail but also the sender field remains blank again.

Looking into raw event further, it finally displays the source address hides at the end of the <img> tag.

This is very unfortunate, just because a normal user unlikely can go into that depth to trace the original mail sender. So for those user this is a high alert to get into trap of Phishers. 

Cotton already reported this bugs to Google with solution to stop forging the “From:” header by implementing anonymous structure. But even after reporting Google about the bug, he is yet to get any reply back.


Post a Comment