A new bug discovered in Gmail affects the web app's user experience by hiding the source address of an email, a situation that comes with an obvious potential for abuse.
Tampering with the 'From:' header by replacing some text with an <object>, <script> or <img> tag causes the interface to show a blank space instead of the sender's address.
Software developer Tim Cotten found that Gmail fails to show the source of the message in areas that most users rely on to find this type of information.
According to his research, when dealing with a 'From:' header malformed in a specific way, Gmail leaves unpopulated the space where the sender's details are typically shown and only the subject line is present for this entry.
Opening the email does not help, either, as the sender's address continues to remain hidden and shows no info even when hovering on it, an action that typically reveals the details and offers several actions (adding to contacts, sending email, scheduling event, sending a Hangouts message or starting a video call).
Trying to reply to the message is also of no help. Cotten attempted this thinking that Gmail would read the original email headers and determine the destination.
"Wrong again! Gmail is at a complete loss at what to do!" Cotten writes in a blog post that details his new finding.
Delving deeper into the issue, the developer realized that the issue is not with the header, but the user interface.
Using the Show Original option, which allows users with more experience to trace an email, the desired detail is still unavailable in the user-friendly view.
Looking at the raw info, however, shows the source address buried at the end of the <img> tag Cotten used in his experiment. He didn't even have to spell correctly the data type to trigger the bug.
Unfortunately, it is highly unlikely that the average Gmail user will be able to navigate to this area and determine who the apparently anonymous message is coming from. Due to this, for these users the risk of phishing is high.
"Without the sender information there this looks completely legitimate and a well-educated user could easily be suckered into compromising their own account," the developer explains.
Indeed, messages without a sender could easily pass as system notifications that should not be ignored, just like in the case of mobile alerts from the operator. To prove this point, Cotten created an email with a subject line that purports to deliver an important warning from Google:
The result could be interpreted as a genuine alert from the email provider, and it is likely to fool a large number of users. Unless they have activated the two-factor authentication (2FA) feature, victims could lose their Google account credentials.
This is the second time Cotten reveals a Gmail-related bug in less than a week. His recent work relies on his previous discovery that proved how a malformed 'From:' header allows placing an arbitrary email address in the sender field.
At the moment, there are at least three known UX-related glitches that affect Gmail and can be abused for high-class phishing. The two disclosed by Cotten is joined by a flaw in the UX that allows fraudsters to create a 'mailto:' link that populates the destination field in the app with whatever address they want; the latter was reported about 19 months ago to Google and is still present in the Gmail app for Android.
According to the developer, one solution Google could implement to avoid forging the From field is to properly check the email headers and deny communication with an anomalous structure in the sender or recipient fields. Another method proposed by Cotten is Joran Greef’s project Ronomon, which can trigger errors when email specifications are not followed.
The developer says that he reported to Google both his findings but did not hear back from the company. BleepingComputer reached out to Google about the second bug, too, but did not receive a reply at the time of publishing.