A bug in the way Gmail handles the structure of the 'From:' header could allow placing of an arbitrary email address in the sender field.
Although this issue opens the door for high-level abuse, at the very least it is possible to add the recipient's address and confuse them about the emails they sent and their content.
Software developer Tim Cotten recently investigated an incident at his company when an employee found in the Sent folder of her Gmail account some messages she did not remember sending.
At a closer look, the developer discovered that "the emails had not been sent from her account, but were received from an external account and then filed in her Sent folder automatically."
The cause became apparent when looking at the 'From:' header, which showed an anomaly in its structure: it contained the sender's address along with the recipient's.
"So it appears that by structuring the From: field to contain the recipient’s address along with other text the GMail app reads the From field for filtering/inbox organization purposes" and sorts the message as if it were sent by the recipient, the developer explains.
Cotten contacted Google about this, but did not receive an answer. Yesterday, the developer checked if the problem was still present and the Gmail server rejected the delivery on account of having multiple addresses and thought it was fixed. The reason behind this was that he did not use quotes with aliases.
In another test he did for BleepingComputer he used a slightly changed 'From:' structure and discovered that the issue persisted.
If an attacker uses the recipient's address in the 'From:' header, there are some hints that could tip off the user that something is not right. First off, the emails reach in the Inbox folder, which is sufficiently visible for someone that keeps a close eye on their messages. Second, the copy in the Sent folder appears with a bold subject line. On top of this, more vigilant users may catch the oddity in the 'From' field.
However, there are higher risks. As Cotten explains, a threat actor targeting a business could seize the opportunity to plant malicious links. Furthermore, the developer told us that it is technically possible to add any email address to the header, between quotes, which would enable spoofing the sender.
In a demonstration over email, he showed how a different name is visible to the recipient, while the true sender could be a malicious source.
The example above shows a name that is associated to an arbitrary address. Although the spoofing is not flawless, it may be sufficient to do the trick. This type of bug is gold for crooks running Business Email Compromise (BEC) scams because they could send messages as if they were from company individuals responsible for authorizing payments or the transfer of money.
Cotten's public disclosure of the bug fueled discussions on bugs in Gmail, which brought attention to another bug that allows spoofing of the recipient's address.
The problem has been fixed in the Gmail web app but is still exploitable on Android almost 19 months after being reported to Google.
Because the data in the Compose box is insufficiently checked, it is possible to create a 'mailto:' URI scheme with two email addresses; one poses as the name of the recipient and the other is the actual destination address, as in the example below
A victim falling for this trick would see PayPal's support address in the To: field of Gmail for Android when the true destination is the scammer's inbox.
"In order to exploit this vulnerability, the target user only needs to click on a malicious mailto: link," Eli Grey wrote in the initial report, following private disclosure to Google.
He also created a proof of concept that demonstrates how a scammer can steal sensitive information by tricking the victim into believing they're sending a message to a trustworthy address.