New Gmail Bug Allows Sending Messages Anonymously (bleepingcomputer.com) 55
Earlier this week software developer Tim Cotten discovered a serious glitch in Gmail. An anonymous reader quotes BleepingComputer:
Tampering with the 'From:' header by replacing some text with an <object>, <script> or <img> tag causes the interface to show a blank space instead of the sender's address.... Opening the email does not help, either, as the sender's address continues to remain hidden and shows no info even when hovering on it, an action that typically reveals the details.... Trying to reply to the message is also of no help. Cotten attempted this thinking that Gmail would read the original email headers and determine the destination. "Wrong again! Gmail is at a complete loss at what to do!" Cotten writes in a blog post that details his new finding....
Using the Show Original option, which allows users with more experience to trace an email, the desired detail is still unavailable in the user-friendly view. Looking at the raw info, however, shows the source address buried at the end of the <img> tag Cotten used in his experiment. He didn't even have to spell correctly the data type to trigger the bug. Unfortunately, it is highly unlikely that the average Gmail user will be able to navigate to this area and determine who the apparently anonymous message is coming from. Due to this, for these users the risk of phishing is high.
Cotten's bug report "relies on his previous discovery that proved how a malformed 'From:' header allows placing an arbitrary email address in the sender field," the article points out, also noting a third recently-reported Gmail bug that "allows fraudsters to create a 'mailto:' link that populates the destination field in the app with whatever address they want; the latter was reported about 19 months ago to Google and is still present in the Gmail app for Android."
"According to the developer, one solution Google could implement to avoid forging the From field is to properly check the email headers and deny communication with an anomalous structure in the sender or recipient fields. Another method proposed by Cotten is Joran Greef's project Ronomon, which can trigger errors when email specifications are not followed."
Threatpost reported Tuesday that Google "did not respond to a request for comment."
Using the Show Original option, which allows users with more experience to trace an email, the desired detail is still unavailable in the user-friendly view. Looking at the raw info, however, shows the source address buried at the end of the <img> tag Cotten used in his experiment. He didn't even have to spell correctly the data type to trigger the bug. Unfortunately, it is highly unlikely that the average Gmail user will be able to navigate to this area and determine who the apparently anonymous message is coming from. Due to this, for these users the risk of phishing is high.
Cotten's bug report "relies on his previous discovery that proved how a malformed 'From:' header allows placing an arbitrary email address in the sender field," the article points out, also noting a third recently-reported Gmail bug that "allows fraudsters to create a 'mailto:' link that populates the destination field in the app with whatever address they want; the latter was reported about 19 months ago to Google and is still present in the Gmail app for Android."
"According to the developer, one solution Google could implement to avoid forging the From field is to properly check the email headers and deny communication with an anomalous structure in the sender or recipient fields. Another method proposed by Cotten is Joran Greef's project Ronomon, which can trigger errors when email specifications are not followed."
Threatpost reported Tuesday that Google "did not respond to a request for comment."
email not secure (Score:5, Informative)
Re: (Score:2)
You're not beating anybody at anything, you're just beating yourself off.
Re: (Score:2)
My hook nose is missing from you post. Please correct this immediately.
Re: (Score:2)
Thank you. I have read your advertisement several times now and I would like to subscribe to your publications.
Please find enclosed a signed Postal Order, written in GBP (Great British Pounds), sufficient to cover 12 months' subscription, by post, plus a little extra to expedite processing. I have also included 12 First Class stamps and 12 padded A4 envelopes in the package.
Please deliver the monthly newsletter and optional marching orders package to Crazy Cat Lady, 26 Hook Street, Nose End, Lancashire, Eng
Misleading subject line (Score:3)
Hardly sending anonymously. Last I looked at an iPhone, their interface totally hides the ability to determine the true sender of an email, and they do that purposefully.
Certainly should be fixed and leads to questions about what else is lurking in the code. On the severity side seems low; just another method available for phishing.
Re: (Score:2)
Nope, telnet to port 25 on the recipient's domain's MX host.
(Good luck finding a recipient whose SMTP server allows direct connections from your IP address.)
Re: (Score:1)
most
Pure bullshit
Re: (Score:2)
Generalization fallacy.
Historically the statement is true. It has become less so over time due to progressive adoption of various authentication mechanisms (SPF, DKIM, DMARC) but is still largely accurate.
NOT a bug in GMail (Score:5, Informative)
GMail is more than just its HTTP interface, which is where this bug manifests. For the idiots who don't know the difference, there is nothing wrong with GMail's SMTP or POP3 or IMAP servers; you can use those safely (well... it's still Google) from any standalone e-mail client you might choose. The ONLY thing you should avoid - and honestly you should have been doing it long before now - is GMail DOT COM and its HTTP Webmail interface to the underlying service.
Get yourself a real e-mail client.
Re:NOT a bug in GMail (Score:4, Insightful)
Get yourself a real e-mail client.
My work email is through Google Apps (or G Suite or whatever they’re calling it this week). I use a “real e-mail client”, and interface with their servers via IMAP. I avoid their web interface as much as I can.
I can’t claim to do this because of security, though. It’s just that web mail - even Google’s version of it - sucks in comparison to a real email client. Not to mention that, on rare occasions, I have needed to send encrypted email... and I’d rather no one other than the recipient have access to the contents of those messages.
Re: (Score:2)
I've been using the same Ruby app I wrote 10 years ago to check for new messages over IMAP and launch my mail client, and I'm not getting "constantly hounded."
You're probably just confused; if you won't give them permission to send shit to your phone to pretend you have increased security, they will pester you about that; but that isn't a reduced security mode at all, it is an increased security mode if your phone is more likely to get lost or be accessed without permission than your desktop. Only family ha
From address is optional (Score:5, Interesting)
JavaScript disaster (Score:2)
Re: (Score:2)
Re: (Score:2)
I tried the "hack" and it doesn't work anymore - GMail has been patched for this already...
Incorrect. https://imgur.com/a/tIODzuK
If you copy/pasted the result of the Show Original it wouldn't work, true. But still easily reproducible based on the attack vector description.
not a bug, but a feature (Score:1)
Issues are still unresolved (Score:2)
Hi, original author here. The issues are still unresolved as of this morning.