Multiple posts from software engineer Tim Cotten indicate serious errors exist in Gmail. The Gmail errors in question, when used for nefarious purposes, allow for even the most cautious of individuals to potentially be duped by phishing emails. Of the issues presented, which are intertwined, the most egregious is the ability to hide the sender with some maneuvering in Gmail’s UX. Cotten explains it in one post as follows:
By tailoring a malicious input in a certain way the Gmail app leaves the sender display completely blank both in the list view and in the detailed email view. This could be further weaponized for phishing attacks based on faking the appearance of official warnings or system messages.
The crux of the argument here comes from how the header is able to be parsed by Google, but the UX, on the other hand, cannot handle it. This is actually, as noted earlier, connected to a prior error that Tim Cotten discovered several days before. In that particular exploit, Cotten explained in his previous post that “you can force an email to enter someone’s Gmail Inbox, Sent folder, and in:sent filter by adding their own email to the From field’s name area (the part in quotes).”
Tim Cotten confirmed that he had contacted Google with his findings, but much to his dismay at the time of writing had received no response. The news of this particular UX issue has been making the rounds on various cybersecurity news sites. Perhaps with enough pressure, the design of Gmail can be altered so that social engineers aren’t given carte blanche to hoodwink unsuspecting individuals into opening malicious emails.
It is somewhat surprising that Google allowed such an egregious issue to pass by unchecked. A company at their level of power, especially with some of the most brilliant programmers at the helm, has no excuse to make such a glaring error. Hopefully, this can be fixed before too much damage is done. Phishing emails can be the vehicle of incredibly destructive malware, identity theft, and countless other criminal tactics.
Featured image: Flickr / Tom Page
So, potential victims will be users who:
1. do not check the Sender and/or assume that a blank sender is OK, and/or
2. assume the mail is OK just because it appeared in the Inbox, instead of considering this no more than another filter – not the ultimate
Doesn’t look like it will greatly expand the universe of current victims…