A security researcher discovered an interesting vulnerability in the Gmail app for Appliances Android, which allows anyone to send e-mail that looks like it was sent by someone else.
This behavior is used by Phishers to deceive their victims. It is called E-mail Spoofing and usually an email header is forged to appear to be from someone else.
Independent security researcher Yan Zhu discovered the bug in the official Gmail app for Android devices.
The bug allowed her to hide her real address and change her display name from settings account. So the receiver cannot know the real sender.
How to send Spoofing Emails via Gmail for Android?
To prove her point, Zhu sent an email to someone, changing her name on the screen by adding extra quotes "" security@google.com ". You can see below the screenshot posted by Zhu on Twitter.
"Extra quotes [in the displayed name] cause a parsing error in the Gmail application, which makes the actual e-mail invisible," Zhu told Motherboard.
Google: "Bug is not a security vulnerability"
Zhu reported the flaw to Google's security team in late October, but the team dismissed her report, saying the bug was not a theme security vulnerability.
"Thanks for your note, we do not consider the bug a security vulnerability," a member of Google's security team told Zhu.
"A Gmail bug in Android that allows you to send emails with a fake address is not a security issue for Google. ¯ \ _ (ツ) _ / ¯ ”. wrote Zhu.
filed a gmail android bug that lets me fake sender email address. they said it's not a security issue. ¯_ (ツ) _ / ¯
- yan (@bcrypt) November 11, 2015
And the picture published by the researcher: