Slashdot Mirror
New Gmail Bug Allows Sending Messages Anonymously (bleepingcomputer.com)
Earlier this week software developer Tim Cotten discovered a serious glitch in Gmail. An anonymous reader quotes BleepingComputer:
Tampering with the 'From:' header by replacing some text with an <object>, <script> or <img> tag causes the interface to show a blank space instead of the sender's address.... Opening the email does not help, either, as the sender's address continues to remain hidden and shows no info even when hovering on it, an action that typically reveals the details.... Trying to reply to the message is also of no help. Cotten attempted this thinking that Gmail would read the original email headers and determine the destination. "Wrong again! Gmail is at a complete loss at what to do!" Cotten writes in a blog post that details his new finding....
Using the Show Original option, which allows users with more experience to trace an email, the desired detail is still unavailable in the user-friendly view. Looking at the raw info, however, shows the source address buried at the end of the <img> tag Cotten used in his experiment. He didn't even have to spell correctly the data type to trigger the bug. Unfortunately, it is highly unlikely that the average Gmail user will be able to navigate to this area and determine who the apparently anonymous message is coming from. Due to this, for these users the risk of phishing is high.
Cotten's bug report "relies on his previous discovery that proved how a malformed 'From:' header allows placing an arbitrary email address in the sender field," the article points out, also noting a third recently-reported Gmail bug that "allows fraudsters to create a 'mailto:' link that populates the destination field in the app with whatever address they want; the latter was reported about 19 months ago to Google and is still present in the Gmail app for Android."
"According to the developer, one solution Google could implement to avoid forging the From field is to properly check the email headers and deny communication with an anomalous structure in the sender or recipient fields. Another method proposed by Cotten is Joran Greef's project Ronomon, which can trigger errors when email specifications are not followed."
Threatpost reported Tuesday that Google "did not respond to a request for comment."
Using the Show Original option, which allows users with more experience to trace an email, the desired detail is still unavailable in the user-friendly view. Looking at the raw info, however, shows the source address buried at the end of the <img> tag Cotten used in his experiment. He didn't even have to spell correctly the data type to trigger the bug. Unfortunately, it is highly unlikely that the average Gmail user will be able to navigate to this area and determine who the apparently anonymous message is coming from. Due to this, for these users the risk of phishing is high.
Cotten's bug report "relies on his previous discovery that proved how a malformed 'From:' header allows placing an arbitrary email address in the sender field," the article points out, also noting a third recently-reported Gmail bug that "allows fraudsters to create a 'mailto:' link that populates the destination field in the app with whatever address they want; the latter was reported about 19 months ago to Google and is still present in the Gmail app for Android."
"According to the developer, one solution Google could implement to avoid forging the From field is to properly check the email headers and deny communication with an anomalous structure in the sender or recipient fields. Another method proposed by Cotten is Joran Greef's project Ronomon, which can trigger errors when email specifications are not followed."
Threatpost reported Tuesday that Google "did not respond to a request for comment."
You should never consider email to be accurate as to who the sender is. If you want to be certain, have them sign it cryptographically. That is the only solution, and even that is not 100% certain (for example, if keys get stolen).
"First they came for the slanderers and i said nothing."
A gmail address is anonymous enough.
Hardly sending anonymously. Last I looked at an iPhone, their interface totally hides the ability to determine the true sender of an email, and they do that purposefully.
Certainly should be fixed and leads to questions about what else is lurking in the code. On the severity side seems low; just another method available for phishing.
"Send mail anonymously" when the problem is in the displaying, so it'll only work when sending to gmail AND the recipient uses the web interface.
Oh and get a real news source, you failure of an editor, you.
Emails addresses have always been quite easy to forge, most SMTP servers can be connected to and used to send emails using pretty much any email addresses as the sender, there's no authentification in place so that's pretty easy to do, all you need is a telnet client and the proper sequence of commands from the SMTP specification.
GMail is more than just its HTTP interface, which is where this bug manifests. For the idiots who don't know the difference, there is nothing wrong with GMail's SMTP or POP3 or IMAP servers; you can use those safely (well... it's still Google) from any standalone e-mail client you might choose. The ONLY thing you should avoid - and honestly you should have been doing it long before now - is GMail DOT COM and its HTTP Webmail interface to the underlying service.
Get yourself a real e-mail client.
My hook nose is missing from you post. Please correct this immediately.
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
You're not beating anybody at anything, you're just beating yourself off.
It is already quite trivial to spoof the senders address on an email or to just use one of probably hundreds of free email services to make a throw away account.
People need to consider that email is no more secure/private than a post card. The sender of the postcard can put whatever or no return address on it, and the message contents on the postcard can be read by anyone who handles the postcard. Just the same as email sender addresses can be spoofed and every mail server that your email passes though has the ability to read the email message as it passes though.
How does that help phishing? If the sender does not look like mybank.com, that will tip off more people, not fewer.
and i thought some of the people at Google were smart, turns out they are lazy and stupid.
how easy is it to validate data and do a good quality job...
How are they at a loss?
Just fucking properly escape the god damn text in the from field and display it.
A banner ad so big that I can't even seen an entire summary? What the fuck has happened to this place?
Most email clients add one, but the email spec doesn't require it, much less provide a way to confirm that it's accurate. Spammers have run amok with this for decades (you didn't think your cousin Linda really sent you that spam about penis enlargement, did you?). Even Gmail doesn't enforce it - you can configure it to insert a different address as your From address. While it's cute that he's figured out a way to have to accept a blank as the From address, this is hardly an earthshattering bug.
This is what happens when you couple a glorified home-page displayer with an ad-delivery-oriented touring-complete language, and call it a development environment. It's a wonder that Google hasn't done worse, I praise their engineers.
I tried the "hack" and it doesn't work anymore - GMail has been patched for this already...
I doubt snipes use email.
Not a bug its a feature, just like all the other ones that go against the public!
I've no version 3.0++, I'd never post on hosts offtopic + gweihir KNEW u IMPERSONATE me https://it.slashdot.org/commen... c6gunner proves it https://linux.slashdot.org/com... & forgot to SUBMIT AC & used his registered 'lusrname' (he tried to mock me both BEFORE & after I FAIRLY challenged him to show he's done better work - he had ZERO).
I'd never "cry victim" to ne'er-do-wells (TROLLS, not all /.ers) either.
U EVEN HELPED ME https://science.slashdot.org/c... (& then realizing it you quit trying to make me look bad via what you thought were lies on hosts as "ME" IN YOUR IMPERSONATIONS of me e.g. https://tech.slashdot.org/comm... on speculative execution attack: Hosts PREVENT 'EM, joke's on you)
APK
P.S.=> 2nd to last link's KILLING U THAT U HELPED ME & got me to see if hosts stop portsmash/meltdown/spectre & yes - hosts WORK on 'em - U LOSE + FAIL a PORTFILTER TEST https://yro.slashdot.org/comme...
Thank you. I have read your advertisement several times now and I would like to subscribe to your publications.
Please find enclosed a signed Postal Order, written in GBP (Great British Pounds), sufficient to cover 12 months' subscription, by post, plus a little extra to expedite processing. I have also included 12 First Class stamps and 12 padded A4 envelopes in the package.
Please deliver the monthly newsletter and optional marching orders package to Crazy Cat Lady, 26 Hook Street, Nose End, Lancashire, England, Great Britain, United Kingdom, Earth, Sol.
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
Hi, original author here. The issues are still unresolved as of this morning.
... it's a "feature".