A strange glitch in Gmail can be exploited to place emails into a person’s “Sent” folder — even if that person never sent them.
Researchers who discovered the bug worry that it gives phishers and scammers another avenue to trick unsuspecting users into clicking on malicious links or opening rogue attachments.
The Gmail issue, discovered and outlined by software developer Tim Cotten this week, stems from the way that Gmail organizes its folders. It files an email into the Sent folder based on the address in the “from” field. So, if an attacker sends an email to a target, which has been specially crafted to also have that target’s email address in the “from” field, the mail will automatically go to the person’s inbox and Sent folder at the same time. This gives the false impression to the unwitting user that it was an email they themselves sent, said Cotten.
“So it appears that by structuring the from field to contain the recipient’s address along with other text, the GMail app reads the from field for filtering/inbox organization purposes and sorts the email as though it were sent from [the recipient], despite it clearly also having the originating mailbox as [another address],” he explained.
Click to enlarge
This is a potential boon for malicious actors. Spam emails to the inbox might be filtered out, but the mail that goes to the Sent folder will remain. An attacker could then, for example, send a follow-up email asking the victim to look back at previous correspondence to find something, and from there convince them to open something malicious.
“The confusion being injected into the average user experience is an open door for malicious actors… Imagine, for instance, the scenario where a custom email could be crafted that mimics previous emails the sender has legitimately sent out containing various links,” said Cotten. “A person might, when wanting to remember what the links were, go back into their sent folder to find an example: disaster!”
Making the issue trickier, after an email is filed in the Sent folder, it looks as though it’s been read/opened, like other sent messages, except for the fact that the subject is bolded.
This is apparently not the only Gmail-filtering bug out there; Cotten also posted a note from “tekstar” discussing another trick with auto-filtering.
“For example imagine Alice emails Bob and Chad, and in the ‘to:’ field for Bob she gives Bob a different name, like ‘Brad’ [but the address is still <bob@bob.com>],” tekstar said. “If Chad replies to this email, Bob will now be in his contact list as Brad. The email is still bob@bob.com but you can see how it could be malicious, or at least fodder for fun pranks.”
Cotten has reported the findings to Google, he said.
