Gmail Glitch Offers Stealthy Trick for Phishing Attacks


The issue comes from how Gmail automatically files messages into the “Sent” folder.

A strange glitch in Gmail can be exploited to place emails into a person’s “Sent” folder — even if that person never sent them.

Researchers who discovered the bug worry that it gives phishers and scammers another avenue to trick unsuspecting users into clicking on malicious links or opening rogue attachments.

The Gmail issue, discovered and outlined by software developer Tim Cotten this week, stems from the way that Gmail organizes its folders. It files an email into the Sent folder based on the address in the “from” field. So, if an attacker sends an email to a target, which has been specially crafted to also have that target’s email address in the “from” field, the mail will automatically go to the person’s inbox and Sent folder at the same time. This gives the false impression to the unwitting user that it was an email they themselves sent, said Cotten.

“So it appears that by structuring the from field to contain the recipient’s

Read more…