U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hacking Gmail’s UX with from fields for phishing attacks

A glitch in Gmail could be exploited by hackers to carry out phishing attacks, the issue is related the way Gmail automatically files messages into Sent folder A bug in Gmail could be exploited by attackers to carry out phishing attacks, the flaw ties the way Gmail automatically files messages into the “Sent” folder. The bug […]

Gmail hack

A glitch in Gmail could be exploited by hackers to carry out phishing attacks, the issue is related the way Gmail automatically files messages into Sent folder

A bug in Gmail could be exploited by attackers to carry out phishing attacks, the flaw ties the way Gmail automatically files messages into the “Sent” folder.

The bug that was discovered by software developer Tim Cotten, it could be exploited by an attacker to place emails into a person’s “Sent” folder, even if the person has never sent the messages.

Gmail moves an email into the Sent folder based on the address in the “from” field.

Gmail hack

An attacker could exploit the bug by sending an email to a target, which has been specially crafted to have that target’s email address in the “from” field.

Gmail will move the email to both the target’s inbox and Sent folder.

“So it appears that by structuring the from field to contain the recipient’s address along with other text, the GMail app reads the from field for filtering/inbox organization purposes and sorts the email as though it were sent from [the recipient], despite it clearly also having the originating mailbox as [another address],” wrote the researcher.

This issue could be exploited by hackers in an attack scenario that sees it first sending a spam emails that is moved in the inbox of the target, then he will send out a follow-up email asking the victim to look back at previous messages for some reason and trick them into open something malicious.

“Imagine, for instance, the scenario where a custom email could be crafted that mimics previous emails the sender has legitimately sent out containing various links.” wrote Cotten.

“A person might, when wanting to remember what the links were, go back into their sent folder to find an example: disaster!

Don’t get me wrong, the user should still verify the details at the top of the email and might catch on that something is odd —but we know it only takes a small percentage of due-diligence failure to have a big environment effect.”

Cotten reported the findings to Google, he also cited another bug in Gmail filtering that was reported by “tekstar”:

“For example imagine Alice emails Bob and Chad, and in the ‘to:’ field for Bob she gives Bob a different name, like ‘Brad’ [but the address is still <bob@bob.com>],” tekstar said. “If Chad replies to this email, Bob will now be in his contact list as Brad. The email is still bob@bob.com but you can see how it could be malicious, or at least fodder for fun pranks.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Gmail, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]