Hacking Gmail’s UX with 'From' Fields – Another Phishing Vector

You think that&#x27;s bad? There&#x27;s a Google Inbox and Gmail spoofing vulnerability which has been disclosed for over a year, and it&#x27;s still not fixed.<p>Vulnerability details: <a href="https:&#x2F;&#x2F;eligrey.com&#x2F;blog&#x2F;google-inbox-spoofing-vulnerability&#x2F;" rel="nofollow">https:&#x2F;&#x2F;eligrey.com&#x2F;blog&#x2F;google-inbox-spoofing-vulnerability...</a><p>Screenshot: <a href="https:&#x2F;&#x2F;go.eligrey.com&#x2F;t&#x2F;screenshots&#x2F;google-inbox-spoofing-on-android" rel="nofollow">https:&#x2F;&#x2F;go.eligrey.com&#x2F;t&#x2F;screenshots&#x2F;google-inbox-spoofing-o...</a><p>PoC demo (open on Android using Google Inbox or Gmail): <a href="https:&#x2F;&#x2F;dangerous.link&#x2F;gmail-and-inbox-spoofing-on-android" rel="nofollow">https:&#x2F;&#x2F;dangerous.link&#x2F;gmail-and-inbox-spoofing-on-android</a>

A different one than the article but also weird&#x2F;dangerous, it (was? is still?) possible to manipulate someone else&#x27;s contact identifiers.<p>This may have been fixed, but I stopped using gmail years ago so I&#x27;m not sure..<p>For example imagine Alice emails Bob and Chad, and in the To: field for Bob she gives Bob a different &quot;Name&quot; like &quot;Brad&quot; &lt;bob@bob.com&gt;. If Chad replies to this email, Bob will now be in his contact list as Brad. The email is still bob@bob.com but you can see how it could be malicious, or at least fodder for fun pranks.

I just naturally assumed Gmail only filed things into Sent when it... sent them. I know that it <i>does</i> &quot;pay attention&quot; to what it&#x27;s sending: if you&#x27;re accessing Gmail through IMAP&#x2F;SMTP you don&#x27;t need to have your client store sent messages on the server; Gmail will populate them there for you when you send through their SMTP server.

Is someone collecting these attack vectors somewhere?<p>That would help prevent anyone writing an email client to make the same mistake.

I believe this has been a known issue for years now.

This reminds me of the issue where spam emails with a calendar invite would not only appear on your Google calendar, but if the event was triggered, would give you a notification. I believe they fixed this one.

This is a feature, not a bug, and it&#x27;s required to get enterprise business.