Security researcher Yan Zhu is reporting a flaw in Gmail’s Android app that lets a sender pretend to have someone else’s email address.
That’s known as spoofing, and it’s incredibly handy for scammers and phishers, who can make it look as though they really do come from, say, legit.example.com instead of from random.free.account.example.
Zhu reported the bug to Google at the end of October, but Google Security told her that it’s not a security vulnerability, according to screenshots of an email conversation that she shared with Motherboard.
Zhu disclosed it on Twitter last week:
filed a gmail android bug that lets me fake sender email address. they said it’s not a security issue. ¯\_(ツ)_/¯
— yan⚠ (@bcrypt) November 11, 2015
To take advantage of the bug, a user simply changes their display name under account settings.
The sender’s real email address will be hidden, and the receiver won’t be able to reveal it by even by opening the email and expanding the contents.
To concoct a sender’s email address like the one displayed in the tweet below, Zhu told Motherboard that she changed her display name to yan “”security@google.com” with an extra quotation mark.
It’s that extra quotation mark that does the trick, she said:
The extra quotes triggers a parsing bug in the gmail app, which causes the real email to be invisible.
no dkim validation error, etc. anyway i am prolly gonna stop bugging them. pic.twitter.com/2VmEk8u4kB
— yan⚠ (@bcrypt) November 11, 2015
Her mention of DKIM in that tweet refers to DomainKeys Identified Mail (DKIM) signature, which digitally signs emails for a given domain and establishes authenticity.
As Naked Security’s John Shier noted when he dissected a set of emails to discern whether they were phish or legit, DKIM was one of the clues that led him to the conclusion that one of the emails in question was for real.
DKIM doesn’t filter or identify spoofed emails, per se, but it can be helpful in approving legitimate email.
In fact, Google has used it to authenticate email coming from eBay and PayPal: both heavily phished properties.
If a message comes in to Gmail purporting to be from either but lacks DKIM, out it goes – it doesn’t even make it into the Spam folder.
Email spoofing is nothing new, but spam filters often catch spoofed messages, or they typically trigger an alert in Gmail.
If Zhu’s newly found bug allows phishers to get around the DKIM roadblock, their scammy-but-convincing messages are more likely to trick people into dangerous activities.
Scott Greenstone, a Top Contributor in multiple Google projects, replicated the bug and told Zhu that he’d “let the team know.”
Be even more careful than usual, Android users: until Google fixes the bug, the tables have been tilted in the favor of phishers trying to get you to click on links sent in email.
Is payroll really warning you about your paycheck? Is that really your boss telling you to go read an important article by following the link she supposedly sent?
Study the email address carefully. Don’t hit reply to ask for verification. Walk over and have a chat, or send a note using what you know is their real email address.
Image of Android logo courtesy of tanuha2001 / Shutterstock.com
Shane Killian
Is this bug in Inbox, too, or just GMail?
Eric
I wouldn’t say this is a bug; it’s more like the nature of email. I can easily do the same thing with Thunderbird.
Laurence Marks
As Eric states, the ability to use an arbitrary display name has been in email since its inception. It’s inherent in any SMTP email client, including such standards as ELM (1986), Eudora (1988), and even Microsoft Outlook Express (1996). My son was playfully sending me such emails back in the early ’90s. No reason to get excited–a simple look at the full headers will show the true origin.
Laurence Marks
Setting multiple display names and switching among them is a feature of Yahoo! Web Mail. I use it to send personal emails and emails in my role as an officer of a non-profit organization from the same account. As I compose any new mail item or reply, there’s a dropdown from which I can pick the preferred display name. A feature, not a bug.
Anonymous
I think the bug part of it is that if you do it in thunderbird, Google will detect it and shoot it off to spam folder, with domain being different from address etc. If you do it by this new found method its auto approved as genuine mail as its come from the gmail app.
Jason
I think the bug part of it is that the other methods aka in thunderbird would flag it as spam with sender address being different than smtp domain. If you do it by new method in Gmail app it gets auto approved as genuine.
Steven
Yan Zhu – Oh I see
Thank you for showing how it happened.
That is who Yan Zhu is. I knew it was fake email – not from Yan Zhu
I wondered how it happened.
Chris
This is not a bug, it’s how email works. It’s a pity the author couldn’t be bothered to research this and was clearly looking for a cheap story.
Email works like a postcard, just because it says it’s from someone, doesn’t mean it is. Thats how email has always worked. You can set the from address via any client
Paul Ducklin
I think the deal here is that you can weird up the email address so that the sender seen by the server when it checks for spoofing is not what the recipient sees when viewing it.
That means the spoofing doesn’t get spotted. The problem is not that spoofing email is *possible*, but that the server apparently fails to notice when it could and should do so.
Anonymous
A server does not check on DISPLAY NAMES!!!!!!!!!!!!!!!!!!!! SO NO SPOOFING whatsoever is happening.
When an SMTP email is sent, the initial connection provides two pieces of address information:
MAIL FROM: – generally presented to the recipient as the Return-path: header but not normally visible to the end user, and by default no checks are done that the sending system is authorized to send on behalf of that address.
RCPT TO: – specifies which email address the email is delivered to, is not normally visible to the end user but may be present in the headers as part of the “Received:” header.
Together these are sometimes referred to as the “envelope” addressing, by analogy with a traditional paper envelope.[3]
Once the receiving mail server signals that it accepted these two items, the sending system sends the “DATA” command, and typically sends several header items, including:
From: Joe Q Doe – the address visible to the recipient; but again, by default no checks are done that the sending system is authorized to send on behalf of that address.
Reply-to: Jane Roe – similarly not checked
The result is that the email recipient sees the email as having come from the address in the From: header; they may sometimes be able to find the MAIL FROM address; and if they reply to the email it will go to either the address presented in the From: or Reply-to: header – but none of these addresses are typically reliable,[4] so automated bounce messages may generate backscatter.
Paul Ducklin
If I understand correctly, the point in this case is that an email that ought to have been rejected as spoofed was not rejected on account of a extra, sneakily placed quote mark in the email.
dgacom
I think you can do it too while sending email from wordpress server, but change the name to appear like other email sender
Brian Burnell
It may well be how email works. I understand that perfectly.
However what worries me is that these spoof emails containing a link to a malicious site have recently been sent to some friends who appear in my gmail contact list.
How can the spoofer know who to target, unless he has access to my gmail contacts?