Update: Google reached out to us through a Cloud spokesperson who works with the security team. “We will be rolling out fixes to address these issues. It’s important to note that these issues do not impact Gmail’s phishing protections, such as those that prevent more than 99.9% of spam and phishing emails from reaching users’ inboxes and warnings that pop up when composing a reply to an unfamiliar recipient,” the company’s statement said.
Gmail is the most commonly used email platform in the world, which makes it a hunting ground for hackers looking to trick people into doling out their personal, sensitive info. A new bug has now been discovered in Gmail, which can allow hackers to send emails anonymously and trap users into phishing attacks.
As discovered by software developer Tim Cotten, who first reported it last week, a major vulnerability in the platform’s UX allows anyone to forge the ‘From’ sender’s address and leave it empty. He’s aptly termed it as “ghost emails” that reach the recipient without informing them of the sender.
Cotten found this vulnerability by substituting a portion of text in the From: ‘name, recipient_email_here <sender_email_here>’ test case with large and arbitrary tags, such as an <object> or <script> or <img> HTML tag. Gmail didn’t raise any red flags when he hit send, but the recipient received an email with an alarming subject and no sender info – neither in their inbox nor within the conversation. Even hitting the reply button doesn’t show the sender’s info under the ‘To’ section because that data has been tweaked with an <img> tag.
Well, the sender info is certainly there as the email has reached its destination, but it is hidden in the original text. Gmail was able to preserve and parse the sender details, but they couldn’t be displayed in the UI due to the unusual length of the string.
In his Medium post, Cotten talks about malicious intent and adds that “without the sender information, there this (the mail without a sender) looks completely legitimate and a well-educated user could easily be suckered into compromising their own account.” A hacker could make you believe it’s a genuine email, thus, coaxing you into clicking the false link.
This vulnerability has already been reported to Gmail and the team would’ve start work towards fixing the same. Still, we would suggest you keep an eye out for emails with an empty sender’s address.