Gmail Bugs Allow Changing From: Field and Spoofing Recipient’s Address[bleepingcomputer]
by CIRT Team
A bug in the way Gmail handles the structure of the ‘From:’ header could allow placing of an arbitrary email address in the sender field.
Although this issue opens the door for high-level abuse, at the very least it is possible to add the recipient’s address and confuse them about the emails they sent and their content.
Touching the sender field
Software developer Tim Cotten recently investigated an incident at his company when an employee found in the Sent folder of her Gmail account some messages she did not remember sending.
At a closer look, the developer discovered that “the emails had not been sent from her account, but were received from an external account and then filed in her Sent folder automatically.”
The cause became apparent when looking at the ‘From:’ header, which showed an anomaly in its structure: it contained the sender’s address along with the recipient’s.
“So it appears that by structuring the From: field to contain the recipient’s address along with other text the GMail app reads the From field for filtering/inbox organization purposes” and sorts the message as if it were sent by the recipient, the developer explains.
Cotten contacted Google about this, but did not receive an answer. Yesterday, the developer checked if the problem was still present and the Gmail server rejected the delivery on account of having multiple addresses and thought it was fixed. The reason behind this was that he did not use quotes with aliases.
In another test he did for BleepingComputer he used a slightly changed ‘From:’ structure and discovered that the issue persisted.
For more, click here.