Google is working to fix an unusual bug that allows anyone to pretend to be someone else in the Gmail app for Android, after the company initially dismissed it as “not a security vulnerability.”
The flaw was spotted by independent security researcher Yan Zhu at the end of October. Zhu found that an attacker could send an email using a different name, and conceal their real email address. The bug only worked within the Gmail Android app, but opened the door for dangerous phishing attempts, given that anyone could pretend to be anybody else, and get away with it.
Zhu reported the bug to Google, which initially dismissed the bug report because allowing anyone to change their display name was a regular feature. But after Motherboard reported on the bug on Friday, Google’s security team realized that the Gmail Android app failed to display the real email address when the sender uses an extra quotation mark.
Google is now working to fix the bug and “treating the use of display names which exploit it as a high potential phishing signal.”
Google is now working to fix the bug and “treating the use of display names which exploit it as a high potential phishing signal,” a source close to the company told Motherboard on Tuesday.
“We appreciate the researcher's report and we're addressing the issue that she outlined in the Gmail app for Android,” a Google spokesperson told Motherboard in an email. “Our close relationship with the security research community helps us keep users safe.”
Zhu discovered that using an extra quotation mark in an account’s display name caused the real address of the sender to be hidden. That’s how she was able to send this email to our managing editor Adrianne Jeffries.
Zhu said she was happy the bug was finally getting fixed, but also added she was “totally amazed” and “disappointed” that Google didn’t understand what was the issue when she explained it to the security team “at least three times, with screenshots,” during their email exchange.
“I don't want to neg the Google security team since their job is difficult and they are probably flooded with bogus reports,” Zhu told Motherboard. “However, the process of reporting a legitimate bug was way more frustrating than I expected.”