New Gmail Bug Allows Sending Messages Anonymously

Earlier this week software developer Tim Cotten discovered a serious glitch in Gmail. An anonymous reader quotes BleepingComputer: Tampering with the 'From:' header by replacing some text with an <object>, <script> or <img> tag causes the interface to show a blank space instead of the sender's address.... Opening the email does not help, either, as the sender's address continues to remain hidden and shows no info even when hovering on it, an action that typically reveals the details.... Trying to reply to the message is also of no help. Cotten attempted this thinking that Gmail would read the original email headers and determine the destination. "Wrong again! Gmail is at a complete loss at what to do!" Cotten writes in a blog post that details his new finding....

Using the Show Original option, which allows users with more experience to trace an email, the desired detail is still unavailable in the user-friendly view. Looking at the raw info, however, shows the source address buried at the end of the <img> tag Cotten used in his experiment. He didn't even have to spell correctly the data type to trigger the bug. Unfortunately, it is highly unlikely that the average Gmail user will be able to navigate to this area and determine who the apparently anonymous message is coming from. Due to this, for these users the risk of phishing is high.
Cotten's bug report "relies on his previous discovery that proved how a malformed 'From:' header allows placing an arbitrary email address in the sender field," the article points out, also noting a third recently-reported Gmail bug that "allows fraudsters to create a 'mailto:' link that populates the destination field in the app with whatever address they want; the latter was reported about 19 months ago to Google and is still present in the Gmail app for Android."

"According to the developer, one solution Google could implement to avoid forging the From field is to properly check the email headers and deny communication with an anomalous structure in the sender or recipient fields. Another method proposed by Cotten is Joran Greef's project Ronomon, which can trigger errors when email specifications are not followed."

Threatpost reported Tuesday that Google "did not respond to a request for comment."

email not secure

[phantomfive]

You should never consider email to be accurate as to who the sender is. If you want to be certain, have them sign it cryptographically. That is the only solution, and even that is not 100% certain (for example, if keys get stolen).

Re: email not secure

How about just donâ(TM)t answer those emails

Re:email not secure

lol OK Edward Snowden

Re: email not secure

Well here is the thing with email. It hardly matters what the sender line says or the subject or the content. Any fool can tell if itâ(TM)s a real email or just a Nigerian prince scam

Re:email not secure

You don't have to be Edward Snowden to know that email is not secure. If you are implying it is either you are trolling or are very ignorant.

Re:email not secure

Its not a bug, rather old smtp/pop3/imap technology....

APK Hosts File Engine 3.0++ for Linux/BSD... apk

See subject: APK Hosts File Engine 3.0++ 64-bit for Linux/BSD h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p

Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

Vs. "Bolt on 'MoAr' illogic-logic" slowing u hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploit!

* ONLY 1 of its kind in GUI 4 Linux/BSD & supports port filters!

APK

P.S.=> Protects vs. all speculative execution exploits + scripts/trackers (faster vs. NoScript @ kernelmode level)/ads/DNS request tracking + redirect poisoned or downed DNS/botnets/malware/malcript/email malicious payloads... apk

meh

A gmail address is anonymous enough.

Misleading subject line

[dogsbreath]

Hardly sending anonymously. Last I looked at an iPhone, their interface totally hides the ability to determine the true sender of an email, and they do that purposefully.

Certainly should be fixed and leads to questions about what else is lurking in the code. On the severity side seems low; just another method available for phishing.

Oh please

"Send mail anonymously" when the problem is in the displaying, so it'll only work when sending to gmail AND the recipient uses the web interface.

Oh and get a real news source, you failure of an editor, you.

IMPERSONATING ME AGAIN? apk

I've no version 3.0++, I'd never post on hosts offtopic + gweihir KNEW u IMPERSONATE me https://it.slashdot.org/commen... c6gunner proves it https://linux.slashdot.org/com... & forgot to SUBMIT AC & used his registered 'lusrname' (he tried to mock me both BEFORE & after I FAIRLY challenged him to show he's done better work - he had ZERO).

U EVEN HELPED ME https://science.slashdot.org/c... (& then realizing it you quit trying to make me look bad via what you thought were lies on hosts as "ME" IN YOUR IMPERSONATIONS of me e.g. https://tech.slashdot.org/comm... on speculative execution attack: Hosts PREVENT 'EM, jokes on you)

APK

P.S.=> 2nd to last link's KILLING U THAT U HELPED ME & got me to see if hosts stop portsmash/meltdown/spectre & yes - hosts WORK on 'em - U LOSE + FAIL a PORTFILTER TEST https://yro.slashdot.org/comme...

Re:IMPERSONATING ME AGAIN? apk

[webmistressrachel]

My hook nose is missing from you post. Please correct this immediately.

This is nothing new

Emails addresses have always been quite easy to forge, most SMTP servers can be connected to and used to send emails using pretty much any email addresses as the sender, there's no authentification in place so that's pretty easy to do, all you need is a telnet client and the proper sequence of commands from the SMTP specification.

Re: This is nothing new

Still needs open relay good luck finding anyone incompetent enough to do that on accident

Re:This is nothing new

most

Pure bullshit

Re: This is nothing new

[Lost+Race]

Nope, telnet to port 25 on the recipient's domain's MX host.

(Good luck finding a recipient whose SMTP server allows direct connections from your IP address.)

Re:This is nothing new

[RandomFactor]

Generalization fallacy.

Historically the statement is true. It has become less so over time due to progressive adoption of various authentication mechanisms (SPF, DKIM, DMARC) but is still largely accurate.

Re: This is nothing new

That hasn't been true in decades.
If you want to send spam, exploit their web sites software. Then the server thinks your script is the sites code.
That is where your spam comes from.

Re: This is nothing new

No luck needed. Having worked at a large hosting company for over a decade I can't tell you how many millions of spam messages I deleted from deferred and outgoing postfix mail queues on custom servers acting as open relays. There are plenty out there.

Re: This is nothing new

I meant to finish with good luck finding those open relays run by accident, As I'd imagine if you're finding them in the wild they are honeypots, or otherwise compromised as jump points or harvesting. Just saying if he thinks that he's sending "anonymous" emails he's likely not

We meed to hang c6gummer the retarded nazi faggot

We meed to hang c6gummer the retarded nazi faggot

NOT a bug in GMail

[macraig]

GMail is more than just its HTTP interface, which is where this bug manifests. For the idiots who don't know the difference, there is nothing wrong with GMail's SMTP or POP3 or IMAP servers; you can use those safely (well... it's still Google) from any standalone e-mail client you might choose. The ONLY thing you should avoid - and honestly you should have been doing it long before now - is GMail DOT COM and its HTTP Webmail interface to the underlying service.

Get yourself a real e-mail client.

Re:NOT a bug in GMail

GMail is more than just its HTTP interface, which is where this bug manifests. For the idiots who don't know the difference, there is nothing wrong with GMail's SMTP or POP3 or IMAP servers; you can use those safely (well... it's still Google) from any standalone e-mail client you might choose. The ONLY thing you should avoid - and honestly you should have been doing it long before now - is GMail DOT COM and its HTTP Webmail interface to the underlying service.

Get yourself a real e-mail client.

So the Google "engineers" are morons. Got it! Thanks!

Re:NOT a bug in GMail

So you are saying the bug is with gmail.com? You know the interface millions of people use every day? Also you seem to think 'real e-mail clients' do not have render bugs too? What an interesting idea you have. Not true. But at least interesting.

Re:NOT a bug in GMail

This. I download my mail with mutt, and that is not affected by this nonsense at all.

Re:NOT a bug in GMail

[93+Escort+Wagon]

Get yourself a real e-mail client.

My work email is through Google Apps (or G Suite or whatever they’re calling it this week). I use a “real e-mail client”, and interface with their servers via IMAP. I avoid their web interface as much as I can.

I can’t claim to do this because of security, though. It’s just that web mail - even Google’s version of it - sucks in comparison to a real email client. Not to mention that, on rare occasions, I have needed to send encrypted email... and I’d rather no one other than the recipient have access to the contents of those messages.

Re:NOT a bug in GMail

The problem with accessing gmail over pop/imap is they make you put your account into a "reduced security" mode to do so, then constantly hound you about the fact that your account is in said reduced security mode.

Re:NOT a bug in GMail

[Aighearach]

I've been using the same Ruby app I wrote 10 years ago to check for new messages over IMAP and launch my mail client, and I'm not getting "constantly hounded."

You're probably just confused; if you won't give them permission to send shit to your phone to pretend you have increased security, they will pester you about that; but that isn't a reduced security mode at all, it is an increased security mode if your phone is more likely to get lost or be accessed without permission than your desktop. Only family have access to my desktop, my phone goes with me when I leave the house and could get lost, and then be accessed by who-knows-who. Also, the phone is more likely to get malware.

So it seems to be a very different issue that has nothing to do with gmail, but instead exists across all the google accounts; if you follow traditional best practices, you will constantly get pestered to reduce your security by turning on "security for dummies" type features that only increase security if you would otherwise be flapping in the breeze.

The dumbest part is that since most people have an email client installed on their phones, and google pushes that app pretty hard, the thing they call "2 factor" instead reduces the entire security situation to "possession of phone." 2 clicks isn't 2 factors. Having the email app send a txt to the messaging app isn't 2 factors.

Re:NOT a bug in GMail

I've been using the same Ruby app I wrote 10 years ago to check for new messages over IMAP and launch my mail client, and I'm not getting "constantly hounded."

What we really need is a command-line/UNIX-friendly way of accessing a FIDO key. And then port that into mutt, pine, /usr/bin/mail, or whatever.

No web shit. No Javashit. No web browser. Just a piece of new code that says "Hey, OS? Anything happening on that USB port? Anything happening via Bluetooth?" The same machine-level instructions that are running when the web browser does it, but - and I know this part scares people at Google - not in a web browser.

I know what the impersonators want to do

See subject: They want to flood the forums topic by topic (especially if/when offtopic) impersonating me on hosts to turn others against me OR to make them no longer read my posts on hosts.

* Pitiful BITCH tactic game that the types of WHIMPS I used to pound their skulls in for it "back in the day" never did again once I beat the FUCK outta them...

APK

P.S.=> Why do that? It's ALL the little "WEEZILS" understand is being beaten DOWN hard... apk

Re:I know what the impersonators want to do

[nyet]

You're not beating anybody at anything, you're just beating yourself off.

Re: I know what the impersonators want to do

Idiot Nutcase is just making stuff up to get you to respond to him. I laugh in his face

JOOZ!

Khazar Talmudic Jews believe this of all they call goyim/gentiles (any non-jew): Jews = biggest racists of all (for which they "jew guilt" you for no less! They're hypocrites known as thieves all thru history or were Argentines in the 1940 under Peron, Spanish inquistion, France (1306), Egypt (despoiled/robbed by jews), Arabs (pre & post 1948), England (1330 Edward longshanks), Romans under titus, Russia pogroms and Germany who got rid of them from their nations nazi german's too? No. Driven into DESERTS ages ago! Don't wonder why after all those exilings above.

Should anyone doubt any of this see Jacob Javits' crony Rosenthal spill the beans on it https://www.youtube.com/watch?v=D4zMVZ8HnFI/ where he called all Christianity fools for helping Israel and the biggest scam of all time per their beliefs below from their Talmud.

This is the province of the synagogue of Satan (Pharisees whom Jesus Christ himself kicked to the curb out of the temple & they killed him for it. Jeremiah did the same to them also + the Essenes could not stand them either breaking away from the pharisee corruption):

Mark Zuckerberg stole the Winklevoss twins' code for Fakebook (figures as he is a thieving low jew too).

Maria Abramovic satanist spirit cooker pal of Hillary Clinton the Voodoo queen is a jew https://www.google.com/search?...

Like Hillary Clinton's mentor Saul Alinsky author of rules for radicals book dedicated to Lucifer

"Most Jews do not like to admit it, but our god is Lucifer Â- so I wasnÂ't lying Â- and we are his chosen people. Lucifer is very much aliveÂ" Harold Rosenthal http://www.thetruthseeker.co.u...

Jewish rabbi openly admits to satan worship use white children's blood they kill for passover bread, infiltrating and subverting the catholic church, creating the Jesuit order https://www.youtube.com/watch?... and https://www.youtube.com/watch?...

Barbara Spectre, a jew, tells everyone it's jews orchestrating the muslim migrant problem in Europe https://www.youtube.com/watch?v=MFE0qAiofMQ/ . No migrant raping of women in Poland. Tons in Sweden. Do the math. Use common-sense. This is to get muslims and other goyim/gentiles to wipe one another out as incompatible cultures that will clash and always have.

Rabbi A. Finkelstein ADMITS their greatest enemies are ARABS and WHITES (blacks too) whom they wish to kill one another in a 'theater of war' which they find AMUSING https://www.youtube.com/watch?...

Finkelstein also admits JEWS DID 9/11 (perpetrated by the Mossad & Bebe Netanyahu of ISRAEL) https://www.youtube.com/watch?... profiting by it (and that 3,000 jews employed there did not show up for work that day knowing about it beforehand).

Finkelstein also admits JEWS are going to destroy the U.S. Dollar and dumping it for other world currencies and gold to destroy the United States.

George Soros who funds groups to create division in the USA?? A jew. One who sold his own jew people into death for the nazis.

Zucker now FIRED @ CNN is another frying publicly for lying about "russians" and John Bonifield a producer @ CNN said it is bs. Van Jones did also.

Bernie Madoff (who made off with everyone's money, especially construction union pensions) shows the thieving nature of the JUDEN!

Eric Schmidt had to step down @ JEWgle (a jew).

Adam Schiff (gosh s

Re:JOOZ!

[webmistressrachel]

Thank you. I have read your advertisement several times now and I would like to subscribe to your publications.

Please find enclosed a signed Postal Order, written in GBP (Great British Pounds), sufficient to cover 12 months' subscription, by post, plus a little extra to expedite processing. I have also included 12 First Class stamps and 12 padded A4 envelopes in the package.

Please deliver the monthly newsletter and optional marching orders package to Crazy Cat Lady, 26 Hook Street, Nose End, Lancashire, England, Great Britain, United Kingdom, Earth, Sol.

Re: We meed to hang c6gummer the retarded nazi fag

Heâ(TM)s a DOM ass

I see you project what you do, lol... apk

I see you project what you do & I don't have to even TRY to win. You dolts defeat yourselves FOR me since you're punks that hide behind UNIDENTIFIABLE anonymous posts STALKING me OR even IMPERSONATING ME or behind FAKE NAMES for your FAKE lies of so-called WASTED lives, lol!

* Yes, it's TRULY that simple vs. a pack of "ne'er-do-well" DO-NOTHING nobody LOSERS that don't amount to shit like you!

APK

P.S.=> Truer words were NEVER spoken on /. - Especially to YOU you JEALOUS "Lil' Jowie", hahaha... apk

Anyone really care?

It is already quite trivial to spoof the senders address on an email or to just use one of probably hundreds of free email services to make a throw away account.

People need to consider that email is no more secure/private than a post card. The sender of the postcard can put whatever or no return address on it, and the message contents on the postcard can be read by anyone who handles the postcard. Just the same as email sender addresses can be spoofed and every mail server that your email passes though has the ability to read the email message as it passes though.

Time to PROVE how STUPID you are... apk

See subject: You don't laugh in my face because you won't FACE ME & hide behind UNIDENTIFIABLE anonymous like the weezil u are (or from behind a FAKE NAME, some "phantasyland" wannabe 'superhero' LOON delusional ones no less quite often, lol).

APK

P.S.=> Believe me - I am LAUGHING @ YOU & I have @ "your kind" my ENTIRE LIFE + so has EVERYONE ELSE & you have a "butthurt chip" on your PUNY shoulder (that's your fault for being a WHIMP WEEZIL limpdick, hahahaha) & - why? Simply because I KNOW you're WHIMPS & WEEZILS & you know it too, lol... apk

Phishing?

How does that help phishing? If the sender does not look like mybank.com, that will tip off more people, not fewer.

lazy poor quality code

and i thought some of the people at Google were smart, turns out they are lazy and stupid.
how easy is it to validate data and do a good quality job...

at a loss

How are they at a loss?
Just fucking properly escape the god damn text in the from field and display it.

Fuck Slashdot

A banner ad so big that I can't even seen an entire summary? What the fuck has happened to this place?

From address is optional

[Solandri]

Most email clients add one, but the email spec doesn't require it, much less provide a way to confirm that it's accurate. Spammers have run amok with this for decades (you didn't think your cousin Linda really sent you that spam about penis enlargement, did you?). Even Gmail doesn't enforce it - you can configure it to insert a different address as your From address. While it's cute that he's figured out a way to have to accept a blank as the From address, this is hardly an earthshattering bug.

JavaScript disaster

[MobyTurbo]

This is what happens when you couple a glorified home-page displayer with an ad-delivery-oriented touring-complete language, and call it a development environment. It's a wonder that Google hasn't done worse, I praise their engineers.

Re:JavaScript disaster

I guess a "touring-complete language" is good for solving the Traveling Salesman Problem?

Re:JavaScript disaster

[MobyTurbo]

Ooops, instead of P=NP it was OU=O?

Re:JavaScript disaster

Toring? I think you mean OU=U...

Fixed already

I tried the "hack" and it doesn't work anymore - GMail has been patched for this already...

Re:Fixed already

[Draconi]

I tried the "hack" and it doesn't work anymore - GMail has been patched for this already...

Incorrect. https://imgur.com/a/tIODzuK

If you copy/pasted the result of the Show Original it wouldn't work, true. But still easily reproducible based on the attack vector description.

Snipes

I doubt snipes use email.

not a bug, but a feature

[usr1987]

Not a bug its a feature, just like all the other ones that go against the public!

IMPERSONATING ME AGAIN? apk

I've no version 3.0++, I'd never post on hosts offtopic + gweihir KNEW u IMPERSONATE me https://it.slashdot.org/commen... c6gunner proves it https://linux.slashdot.org/com... & forgot to SUBMIT AC & used his registered 'lusrname' (he tried to mock me both BEFORE & after I FAIRLY challenged him to show he's done better work - he had ZERO).

I'd never "cry victim" to ne'er-do-wells (TROLLS, not all /.ers) either.

U EVEN HELPED ME https://science.slashdot.org/c... (& then realizing it you quit trying to make me look bad via what you thought were lies on hosts as "ME" IN YOUR IMPERSONATIONS of me e.g. https://tech.slashdot.org/comm... on speculative execution attack: Hosts PREVENT 'EM, joke's on you)

APK

P.S.=> 2nd to last link's KILLING U THAT U HELPED ME & got me to see if hosts stop portsmash/meltdown/spectre & yes - hosts WORK on 'em - U LOSE + FAIL a PORTFILTER TEST https://yro.slashdot.org/comme...

Issues are still unresolved

[Draconi]

Hi, original author here. The issues are still unresolved as of this morning.

It's not a "bug" ...

... it's a "feature".

LOL! MOMMY HELP ME (golden wine)... apk

Hohohohoho see the CLASSIC proof of that here soyboys as you DRINK the golden wine https://science.slashdot.org/c... straight from MY tap (of GOLDEN piss), all natural ingredients, naturally filtered (of ME pissing right into your shitbag mouths & funniest part is, you help me DO it - you LIKE it, lol!).

Do you LIKE the taste? Obviously yes - just like folks like my hosts engine, anything I put out, even piss, is GOOD (unlike "your kind").

Above all else though? Hey - MOMMY LOVES YOU!

APK

P.S.=> Hahahahaha (I think this is the BEST overall letting you SHEMALE soyboys destroy yourselves for GOLD (ask SuckerBERG about that - he's the expert as is all his kind are - heading into ZylonB & Furnace time again judging by what's happening - the PRICE of it is that, always, they don't learn)... apk