Security researcher Yan Zhu is reporting a flaw in Gmail’s Android app that lets a sender pretend to have someone else’s email address.
That’s known as spoofing, and it’s incredibly handy for scammers and phishers, who can make it look as though they really do come from, say, legit.example.com instead of from random.free.account.example.
Zhu reported the bug to Google at the end of October, but Google Security told her that it’s not a security vulnerability, according to screenshots of an email conversation that she shared with Motherboard.
Zhu disclosed it on Twitter last week:
filed a gmail android bug that lets me fake sender email address. they said it’s not a security issue. ¯\_(ツ)_/¯
— yan
To take advantage of the bug, a user simply changes their display name under account settings.
The sender’s real email address will be hidden, and the receiver won’t be able to reveal it by even by opening the email and expanding the contents.
To concoct a sender’s email address like the one displayed in the tweet below, Zhu told Motherboard that she changed her display name to yan “”security@google.com” with an extra quotation mark.
It’s that extra quotation mark that does the trick, she said:
The extra quotes triggers a parsing bug in the gmail app, which causes the real email to be invisible.
no dkim validation error, etc. anyway i am prolly gonna stop bugging them. pic.twitter.com/2VmEk8u4kB
— yan
Her mention of DKIM in that tweet refers to DomainKeys Identified Mail (DKIM) signature, which digitally signs emails for a given domain and establishes authenticity.
As Naked Security’s John Shier noted when he dissected a set of emails to discern whether they were phish or legit, DKIM was one of the clues that led him to the conclusion that one of the emails in question was for real.
DKIM doesn’t filter or identify spoofed emails, per se, but it can be helpful in approving legitimate email.
In fact, Google has used it to authenticate email coming from eBay and PayPal: both heavily phished properties.
If a message comes in to Gmail purporting to be from either but lacks DKIM, out it goes – it doesn’t even make it into the Spam folder.
Email spoofing is nothing new, but spam filters often catch spoofed messages, or they typically trigger an alert in Gmail.
If Zhu’s newly found bug allows phishers to get around the DKIM roadblock, their scammy-but-convincing messages are more likely to trick people into dangerous activities.
Scott Greenstone, a Top Contributor in multiple Google projects, replicated the bug and told Zhu that he’d “let the team know.”
Be even more careful than usual, Android users: until Google fixes the bug, the tables have been tilted in the favor of phishers trying to get you to click on links sent in email.
Is payroll really warning you about your paycheck? Is that really your boss telling you to go read an important article by following the link she supposedly sent?
Study the email address carefully. Don’t hit reply to ask for verification. Walk over and have a chat, or send a note using what you know is their real email address.
Image of Android logo courtesy of tanuha2001 / Shutterstock.com