430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Flaw in the Android Gmail app opens to email spoofing attacks

A security loophole in the official Gmail Android app opens the email spoofing attacks allowing anyone to change the sender email name. The independent security researcher Yan Zhu has discovered a serious security issue in the Gmail Android app allows ill-intentioned to send an email pretending to be someone else. Clearly a similar loophole could represent a […]

Flaw in the Android Gmail app opens to email spoofing attacks

A security loophole in the official Gmail Android app opens the email spoofing attacks allowing anyone to change the sender email name.

The independent security researcher Yan Zhu has discovered a serious security issue in the Gmail Android app allows ill-intentioned to send an email pretending to be someone else. Clearly a similar loophole could represent a gift for phishers and scammers, the issue dubbed Email Spoofing, enable  the forgery of an e-mail header so that the email appears to have originated from someone else than the legitimate sender.

In a classic email spoofing attack, threat actors need an SMTP (Simple Mail Transfer Protocol) server to send the email and a mailing application.

The researchers Yan Zhu, discovered a flaw in the Gmail Android app that allowed her to change her display name in the account settings so that the final recipient will not be able to know the identity of the email sender.

Zhu provided a PoC of her attack by sending an email to someone by changing her display name to yan “”security@google.com,” as it visible in the following image.

gmail email spoofing attack

 

“[This] extra quotes [in the display name] triggers a parsing bug in the Gmail app, which causes the real email to be invisible,” Zhu told Motherboard. “It’s always been possible to spoof email envelope addresses, but spoofed emails now usually get caught by spam filters or get displayed with a warning in Gmail, With this bug, a hacker can get around these protections.”

Wait! Now is arriving the interesting part of the story.

Zhu reported the issue to the Google Security team at the end of October, but unfortunately the experts rejected the bug report saying it is not a security vulnerability.

“Thanks for your note, we do not consider this [bug] to be a security vulnerability,” a Google Security Team member told Zhu.

Filed a Gmail Android bug that lets me fake sender email address. [Google] said it’s not a security issue. ¯\_(ツ)_/¯.” Zhu tweeted.

You got it right! The security team of Google does not consider a security issue the e-mail spoofing.
Users that want to protect themselves from email spoofing attacks can read the following suggestions:
  • Enable antispam feature provided by your email service.
  • Analyze the Email message headers and search for the legitimate IP addresses of the sender. Every time you suspect an email spoofing give a look to the header and search for the real source.
  • Never Click on a Suspicious Link or open suspicious attachment. Be aware of any unsolicited email.
  • Keep your PC’s Antimalware Up-to-Date.

Pierluigi Paganini

(Security Affairs – email spoofing, Gmail)