Vulnerability details: https://eligrey.com/blog/google-inbox-spoofing-vulnerability...
PoC demo (open on Android using Google Inbox or Gmail): https://dangerous.link/gmail-and-inbox-spoofing-on-android
It was fixed in May: https://www.xda-developers.com/google-fixes-flaw-spoof-inbox...
This may have been fixed, but I stopped using gmail years ago so I'm not sure..
For example imagine Alice emails Bob and Chad, and in the To: field for Bob she gives Bob a different "Name" like "Brad" <firstname.lastname@example.org>. If Chad replies to this email, Bob will now be in his contact list as Brad. The email is still email@example.com but you can see how it could be malicious, or at least fodder for fun pranks.
I have a long history of emailing a particular dude, call him Greg. Greg's email address does not have any periods in it. Gmail ignores periods, yes, but many other clients don't, so I want to never type Greg's email with a period. Further, I want to be able to reliably grep and join my own email exports.
Upon buying a new phone I received an email from Frank, who cc'd Greg. Fucking Frank has Greg's email address with a period in it.
From now on, no matter what I do, my phone autocomplete's Greg's email address with a period. At first I manually fixed it every time, but at this point I've given up. Now I'm as bad as Frank. It's like this virus that goes from Frank to Frank polluting the data as it goes.
If my contacts are going to be changeable by other people can they at the very least ask me first? Greg is on Gmail, can Gmail not auto-switch Greg to his canonical email unless I specifically request it not to? If Greg is going to be changed, why on earth is it one way (the right way) in my web inbox and a completely different way in my phone?
In my case, my friend's name got replaced with something like "Schookums Bear <3" after replying to an email from his fiance.
That would help prevent anyone writing an email client to make the same mistake.
A summary of these vectors are listed in the README (amongst various sanity checks): https://github.com/ronomon/mime#robust
Just through checking everything about an email carefully, @ronomon/mime has detected and brought to light some interesting attack vectors, for example a malformed email which crashes Apple Mail. This was disclosed to Apple's security team although they did not see any actual security implications.
Another interesting attack vector was an email containing millions of empty multiparts, which was able to crash several popular email servers. This was disclosed through Snyk, here are the details: https://snyk.io/blog/how-to-crash-an-email-server-with-a-sin...
It's not like Gmail doesn't show "nudges" and other crap all over the place for stuff like this.
Besides, since in the proposed solution the system is creating the filter, it could bypass checks that require the label not be sent. Just because it shows in filters, and it can be removed from filters by the user, doesn't mean it has to be able to be created through the normal filter mechanism. You still have a "system of record", if that's how we want to refer to this feature, it just requires a single initial setup step on the first received email that is intended to be kept as sent. That's entirely in line with how Gmail currently does things, such as allowing alternate From addresses (which requires an authorization step).
(In fact, it's a bug that defeats the central purpose of the “system of record” feature it’s been suggested that the underlying functionality exists to support, as trustworthiness is the essential point of a system of record.)
¿Por qué no los dos? It's a feature to people with insane business requirements, and a bug for the average user.