Gmail Glitch Offers Stealthy Trick for Phishing Attacks

[silversurfer]

A strange glitch in Gmail can be exploited to place emails into a person’s “Sent” folder — even if that person never sent them.
Researchers who discovered the bug worry that it gives phishers and scammers another avenue to trick unsuspecting users into clicking on malicious links or opening rogue attachments.

The Gmail issue, discovered and outlined by software developer Tim Cotten this week, stems from the way that Gmail organizes its folders. It files an email into the Sent folder based on the address in the “from” field. So, if an attacker sends an email to a target, which has been specially crafted to also have that target’s email address in the “from” field, the mail will automatically go to the person’s inbox and Sent folder at the same time. This gives the false impression to the unwitting user that it was an email they themselves sent, said Cotten.

“So it appears that by structuring the from field to contain the recipient’s address along with other text, the GMail app reads the from field for filtering/inbox organization purposes and sorts the email as though it were sent from [the recipient], despite it clearly also having the originating mailbox as [another address],” he explained.

“The confusion being injected into the average user experience is an open door for malicious actors… Imagine, for instance, the scenario where a custom email could be crafted that mimics previous emails the sender has legitimately sent out containing various links,” said Cotten. “A person might, when wanting to remember what the links were, go back into their sent folder to find an example: disaster!”

Source: https://threatpost.com/gmail-glitch-offe...ks/139167/