An unusual bug in Gmail’s Android app allows anyone to make their email look like it was sent by someone else, and might open the door to dangerous phishing emails.
The flaw was discovered by independent security researcher Yan Zhu, who reported it to Google at the end of October. The bug only works within the regular Gmail Android app. To take advantage of it, you simply change your display name in the account settings, then your real email address will be hidden, and the receiver won’t be able to reveal it.
To send the email displayed above, Zhu changed her display name to yan ""email@example.com" with an extra quotation mark.
“The extra quotes triggers a parsing bug in the gmail app, which causes the real email to be invisible,” Zhu told Motherboard.
Google’s Security team dismissed her bug report, saying this is not a security vulnerability, according Zhu’s screenshots of her email correspondence with the internet giant.
“Thanks for your note, we don’t consider this to be a security vulnerability,” a Google Security Team member told Zhu.
At that point, Zhu decided to disclose the bug on Twitter.
filed a gmail android bug that lets me fake sender email address. they said ityan⚠ November 11, 2015
While this is a low risk vulnerability, given that it only works within Android’s Gmail app, it could be abused by someone with malicious intentions to send phishing emails that have a higher probability of tricking victims. This is exactly the scenario that Zhu posited to Google when she alerted them of the bug.
It’s always been possible to spoof email envelope addresses, but spoofed emails now usually get caught by spam filters or get displayed with a warning in Gmail, Zhu told Motherboard. With this bug, a hacker can get around these protections.
A Twitter user jokingly said Zhu should’ve taken advantage of the vulnerability when reporting it to Google.
“Send the email from Sergey or Larry and tell them it’s a high priority bug that they need to fix immediately, wrote Phred on Twitter. “Problem solved.”
UPDATE, 11/17/2015, 4:28 p.m.: Google finally said it's working to fix the bug.