Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Bug Google

New Gmail Bug Allows Sending Messages Anonymously (bleepingcomputer.com) 55

Earlier this week software developer Tim Cotten discovered a serious glitch in Gmail. An anonymous reader quotes BleepingComputer: Tampering with the 'From:' header by replacing some text with an <object>, <script> or <img> tag causes the interface to show a blank space instead of the sender's address.... Opening the email does not help, either, as the sender's address continues to remain hidden and shows no info even when hovering on it, an action that typically reveals the details.... Trying to reply to the message is also of no help. Cotten attempted this thinking that Gmail would read the original email headers and determine the destination. "Wrong again! Gmail is at a complete loss at what to do!" Cotten writes in a blog post that details his new finding....

Using the Show Original option, which allows users with more experience to trace an email, the desired detail is still unavailable in the user-friendly view. Looking at the raw info, however, shows the source address buried at the end of the <img> tag Cotten used in his experiment. He didn't even have to spell correctly the data type to trigger the bug. Unfortunately, it is highly unlikely that the average Gmail user will be able to navigate to this area and determine who the apparently anonymous message is coming from. Due to this, for these users the risk of phishing is high.

Cotten's bug report "relies on his previous discovery that proved how a malformed 'From:' header allows placing an arbitrary email address in the sender field," the article points out, also noting a third recently-reported Gmail bug that "allows fraudsters to create a 'mailto:' link that populates the destination field in the app with whatever address they want; the latter was reported about 19 months ago to Google and is still present in the Gmail app for Android."

"According to the developer, one solution Google could implement to avoid forging the From field is to properly check the email headers and deny communication with an anomalous structure in the sender or recipient fields. Another method proposed by Cotten is Joran Greef's project Ronomon, which can trigger errors when email specifications are not followed."

Threatpost reported Tuesday that Google "did not respond to a request for comment."
This discussion has been archived. No new comments can be posted.

New Gmail Bug Allows Sending Messages Anonymously

Comments Filter:
  • email not secure (Score:5, Informative)

    by phantomfive ( 622387 ) on Sunday November 25, 2018 @03:37PM (#57698040) Journal
    You should never consider email to be accurate as to who the sender is. If you want to be certain, have them sign it cryptographically. That is the only solution, and even that is not 100% certain (for example, if keys get stolen).
  • by dogsbreath ( 730413 ) on Sunday November 25, 2018 @03:53PM (#57698098)

    Hardly sending anonymously. Last I looked at an iPhone, their interface totally hides the ability to determine the true sender of an email, and they do that purposefully.

    Certainly should be fixed and leads to questions about what else is lurking in the code. On the severity side seems low; just another method available for phishing.

  • NOT a bug in GMail (Score:5, Informative)

    by macraig ( 621737 ) <mark.a.craig@gmCOMMAail.com minus punct> on Sunday November 25, 2018 @04:07PM (#57698146)

    GMail is more than just its HTTP interface, which is where this bug manifests. For the idiots who don't know the difference, there is nothing wrong with GMail's SMTP or POP3 or IMAP servers; you can use those safely (well... it's still Google) from any standalone e-mail client you might choose. The ONLY thing you should avoid - and honestly you should have been doing it long before now - is GMail DOT COM and its HTTP Webmail interface to the underlying service.

    Get yourself a real e-mail client.

    • by 93 Escort Wagon ( 326346 ) on Sunday November 25, 2018 @05:21PM (#57698422)

      Get yourself a real e-mail client.

      My work email is through Google Apps (or G Suite or whatever they’re calling it this week). I use a “real e-mail client”, and interface with their servers via IMAP. I avoid their web interface as much as I can.

      I can’t claim to do this because of security, though. It’s just that web mail - even Google’s version of it - sucks in comparison to a real email client. Not to mention that, on rare occasions, I have needed to send encrypted email... and I’d rather no one other than the recipient have access to the contents of those messages.

  • by Solandri ( 704621 ) on Sunday November 25, 2018 @05:28PM (#57698444)
    Most email clients add one, but the email spec doesn't require it, much less provide a way to confirm that it's accurate. Spammers have run amok with this for decades (you didn't think your cousin Linda really sent you that spam about penis enlargement, did you?). Even Gmail doesn't enforce it - you can configure it to insert a different address as your From address [google.com]. While it's cute that he's figured out a way to have to accept a blank as the From address, this is hardly an earthshattering bug.
  • This is what happens when you couple a glorified home-page displayer with an ad-delivery-oriented touring-complete language, and call it a development environment. It's a wonder that Google hasn't done worse, I praise their engineers.
  • Not a bug its a feature, just like all the other ones that go against the public!
  • Hi, original author here. The issues are still unresolved as of this morning.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...