Hacking Gmail’s UX With From Fields
Another Phishing Vector
This article explains a strange bug in the way Gmail organizes its folders/filters based on falsifying the From field in an attacker’s email. Any email so forged automatically enters the recipients “Sent” folder — giving the false impression to the unwitting user it was an email they themselves sent.
Updated 2018–11–15: Added a section showing the Inbox/Sent views with examples and included insight from the thread on Hacker News regarding other vulnerabilities.
Updated 2018–11–17: Linking a more serious issue that allows sending “senderless” emails that can emulate the appearance of system messages: https://blog.cotten.io/ghost-emails-hacking-gmails-ux-to-hide-the-sender-46ef66a61eff
Updated 2019–01–16: Google has resolved this issue and issued me two bughunter rewards through Google’s Vulnerability Reward Program for $100 and $1,337. Thanks Google!
A Hack Attempt?
A strange thing happened to an employee today, who prudently came to me concerned their Google Apps Gmail account had been compromised by an external party.
Upon questioning they explained that they had checked their Sent folder with the “in:sent” filter and discovered several emails they had no memory of sending supporting a local political party.
Recognizing that this could indeed be a very legitimate threat to our corporate infrastructure we moved to diagnose and resolve as quickly as we could, and what we found was quite surprising: the emails had not been sent from her account, but were received from an external account and then filed in her Sent folder automatically.
Well… kind of.
Tricksy From Field
As you might see in the above screenshot there are two emails in the Sent folder despite them being addressed to and received by account holder.
We double checked the email headers to see if what we saw in the displayed From/To fields was correct, and as you can see in the screenshots the “From” field has a weird structure:
From: Mary, mindy@________.com (2) <info@nrccvictory.com>
Date: Tue, Nov 13, 2018 at 2:36 PM
Subject: Urgent: Confirm your vote
To: mindy ________ <mindy@________.com>So it appears that by structuring the From field to contain the recipient’s address along with other text the GMail app reads the From field for filtering/inbox organization purposes and sorts the email as though it were sent from mindy@________.com despite it clearly also having the originating mailbox as info@nrccvictory.com.
Wide Open For Abuse
Admittedly, RFC 2822 3.6.2 prohibits this. In fact, trying to create the email manually without quotes around the “name” in the "name" <email> structure of the from format does properly error out when trying to send to GMail.
In this particular case it could be anything from a poorly written form-fill application to a malicious phishing campaign.
But the confusion being injected into the average user experience is an open door for malicious actors.
Imagine, for instance, the scenario where a custom email could be crafted that mimics previous emails the sender has legitimately sent out containing various links.
A person might, when wanting to remember what the links were, go back into their sent folder to find an example: disaster!
Don’t get me wrong, the user should still verify the details at the top of the email and might catch on that something is odd —but we know it only takes a small percentage of due-diligence failure to have a big environment effect.
Googling around for a bit didn’t turn up any obvious hits on other users’ reporting this issue, so just to be safe I’ve reported it.
Test Cases
To make the demonstration easier I enabled headers in mutt on one of my Linux boxes with sendmail, and sent some test cases:
Check #1: the From field contained root, tim@cotten.io <root@senderdomainhere.com>
Check #2: the From field contained "root, tim@cotten.io" <root@senderdomainhere.com>
Here’s how they showed up in Gmail:
Yesterday when I attempted Check #1 the Gmail server actually rejected it for having multiple emails, so today the fact that it came in with the weird spacing is… weird. I’m not sure what changed, honestly.
Now, without clicking any of them or opening them, look at the Sent view:
Sure enough, the second test shows up in the Sent folder or with the in:sent filter.
As you can see it has a partial appearance as though it’s read/opened, but the subject is bolded.
Further Discussion
After posting this piece on Hacker News other reports of known Gmail vulnerabilities/concerns poured in, and some of them were mind-blowing!
Eli Grey posted a link to an article he wrote about a critical email spoofing bug that has actively cost companies considerable sums of money that is more than a year old.
It’s been resolved in the web-app but not on mobile, and iPhone’s native email app also appears to be vulnerable.
Additionally tekstar posted the following vulnerability:
A different one than the article but also weird/dangerous, it (was? is still?) possible to manipulate someone else’s contact identifiers.
This may have been fixed, but I stopped using gmail years ago so I’m not sure..
For example imagine Alice emails Bob and Chad, and in the To: field for Bob she gives Bob a different “Name” like “Brad” <bob@bob.com>. If Chad replies to this email, Bob will now be in his contact list as Brad. The email is still bob@bob.com but you can see how it could be malicious, or at least fodder for fun pranks.
Summary
- You can force an email to enter someone’s Gmail Inbox, Sent folder, and
in:sentfilter by adding their own email to the From field’s name area (the part in quotes) - It’s a User Experience bug
- It’s ripe for abuse
- I reported it to Google and was rewarded with a $100 bughunter bounty as part of Google’s Vulnerability Reward Program
- Google has resolved the bug
