
Hacking Gmail’s UX with 'From' Fields – Another Phishing Vector - cottenio
https://blog.cotten.io/hacking-gmail-with-weird-from-fields-d6494254722f
======
Sephr
You think that's bad? There's a Google Inbox and Gmail spoofing vulnerability
which has been disclosed for over a year, and it's still not fixed.

Vulnerability details: [https://eligrey.com/blog/google-inbox-spoofing-
vulnerability...](https://eligrey.com/blog/google-inbox-spoofing-
vulnerability/)

Screenshot: [https://go.eligrey.com/t/screenshots/google-inbox-
spoofing-o...](https://go.eligrey.com/t/screenshots/google-inbox-spoofing-on-
android)

PoC demo (open on Android using Google Inbox or Gmail):
[https://dangerous.link/gmail-and-inbox-spoofing-on-
android](https://dangerous.link/gmail-and-inbox-spoofing-on-android)

~~~
terrik
Clicking this PoC link on iOS shows that the iOS Mail app suffers the same UI
vulnerability. It appears like you are emailing support@paypal.com, when you
are not.

~~~
zufallsheld
Same for K9 Mail in Android. Clicking on the mail address reveals the real
Destination though.

------
tekstar
A different one than the article but also weird/dangerous, it (was? is still?)
possible to manipulate someone else's contact identifiers.

This may have been fixed, but I stopped using gmail years ago so I'm not
sure..

For example imagine Alice emails Bob and Chad, and in the To: field for Bob
she gives Bob a different "Name" like "Brad" <bob@bob.com>. If Chad replies to
this email, Bob will now be in his contact list as Brad. The email is still
bob@bob.com but you can see how it could be malicious, or at least fodder for
fun pranks.

~~~
3pt14159
This drives me fucking crazy.

I have a long history of emailing a particular dude, call him Greg. Greg's
email address does not have any periods in it. Gmail ignores periods, yes, but
many other clients don't, so I want to never type Greg's email with a period.
Further, I want to be able to reliably grep and join my own email exports.

Upon buying a new phone I received an email from Frank, who cc'd Greg. Fucking
Frank has Greg's email address with a period in it.

From now on, no matter what I do, my phone autocomplete's Greg's email address
with a period. At first I manually fixed it every time, but at this point I've
given up. Now I'm as bad as Frank. It's like this virus that goes from Frank
to Frank polluting the data as it goes.

If my contacts are going to be changeable by other people can they _at the
very least_ ask me first? Greg is on Gmail, can Gmail not auto-switch Greg to
his canonical email unless I specifically request it not to? If Greg is going
to be changed, why on earth is it one way (the right way) in my web inbox and
a completely different way in my phone?

~~~
tekstar
Brutal.

In my case, my friend's name got replaced with something like "Schookums Bear
<3" after replying to an email from his fiance.

------
zerocrates
I just naturally assumed Gmail only filed things into Sent when it... sent
them. I know that it _does_ "pay attention" to what it's sending: if you're
accessing Gmail through IMAP/SMTP you don't need to have your client store
sent messages on the server; Gmail will populate them there for you when you
send through their SMTP server.

~~~
yakubin
My best guess would be that it is caused by the fact that GMail doesn't really
have folders per se. It emulates them when it's syncing with your client
through IMAP and the web interface shows you folder icons, but these are
really labels. In the case of the "sent" label I'd guess it's just a well-
optimized search over "From:" headers of all the mails stored in "All Mail".
If this is the case, then it appears that this search isn't as accurate as one
would wish it was.

------
amelius
Is someone collecting these attack vectors somewhere?

That would help prevent anyone writing an email client to make the same
mistake.

~~~
jorangreef
I wrote @ronomon/mime, an email parser which enforces RFC 2822 3.6.2 and which
also detects a variety of attack vectors before they can reach the email
client.

A summary of these vectors are listed in the README (amongst various sanity
checks):
[https://github.com/ronomon/mime#robust](https://github.com/ronomon/mime#robust)

Just through checking everything about an email carefully, @ronomon/mime has
detected and brought to light some interesting attack vectors, for example a
malformed email which crashes Apple Mail. This was disclosed to Apple's
security team although they did not see any actual security implications.

Another interesting attack vector was an email containing millions of empty
multiparts, which was able to crash several popular email servers. This was
disclosed through Snyk, here are the details: [https://snyk.io/blog/how-to-
crash-an-email-server-with-a-sin...](https://snyk.io/blog/how-to-crash-an-
email-server-with-a-single-email)

------
bonoetmalo
I believe this has been a known issue for years now.

~~~
scandox
Indeed it has. It's been there so long I think it must be considered a
feature.

~~~
cottenio
As @romed notes above, it looks like it _is_ intended as a feature. One which
I think sacrifices majority-security for minority-utility.

------
martin-adams
This reminds me of the issue where spam emails with a calendar invite would
not only appear on your Google calendar, but if the event was triggered, would
give you a notification. I believe they fixed this one.

------
romed
This is a feature, not a bug, and it's required to get enterprise business.

~~~
p1necone
What enterprise use case exists for telling me I've sent email that I haven't
actually sent?

~~~
romed
First, note that a great many enterprise use cases are total nonsense. But
still: people want to be able to put messages into gmail from random other
systems and have the "sent" label be applied, so they can treat it as a system
of record.

~~~
eridius
You wouldn't do that by sending an email to the account. You'd do that by
logging in with IMAP and importing an email that way.

~~~
elcomet
That's how you would do it if course, but not everyone knows or understand
IMAP. Everyone knows how to send an email

