MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
gmail
Recherche

New Gmail Bug Allows Sending Messages Anonymously

dimanche 25 novembre 2018, 21:34 , par Slashdot
Earlier this week software developer Tim Cotten discovered a serious glitch in Gmail. An anonymous reader quotes BleepingComputer:

Tampering with the 'From:' header by replacing some text with an <object>, <script> or <img> tag causes the interface to show a blank space instead of the sender's address.... Opening the email does not help, either, as the sender's address continues to remain hidden and shows no info even when hovering on it, an action that typically reveals the details.... Trying to reply to the message is also of no help. Cotten attempted this thinking that Gmail would read the original email headers and determine the destination. 'Wrong again! Gmail is at a complete loss at what to do!' Cotten writes in a blog post that details his new finding....

Using the Show Original option, which allows users with more experience to trace an email, the desired detail is still unavailable in the user-friendly view. Looking at the raw info, however, shows the source address buried at the end of the <img> tag Cotten used in his experiment. He didn't even have to spell correctly the data type to trigger the bug. Unfortunately, it is highly unlikely that the average Gmail user will be able to navigate to this area and determine who the apparently anonymous message is coming from. Due to this, for these users the risk of phishing is high.

Cotten's bug report 'relies on his previous discovery that proved how a malformed 'From:' header allows placing an arbitrary email address in the sender field,' the article points out, also noting a third recently-reported Gmail bug that 'allows fraudsters to create a 'mailto:' link that populates the destination field in the app with whatever address they want; the latter was reported about 19 months ago to Google and is still present in the Gmail app for Android.'

'According to the developer, one solution Google could implement to avoid forging the From field is to properly check the email headers and deny communication with an anomalous structure in the sender or recipient fields. Another method proposed by Cotten is Joran Greef's project Ronomon, which can trigger errors when email specifications are not followed.'
Threatpost reported Tuesday that Google 'did not respond to a request for comment.'

Read more of this story at Slashdot.
rss.slashdot.org/~r/Slashdot/slashdot/~3/oA-8fjq91BM/new-gmail-bug-allows-sending-messages-anonymous
News copyright owned by their original publishers | Copyright © 2004 - 2024 Zicos / 440Network
Date Actuelle
jeu. 21 nov. - 20:43 CET