Saturday, April 28, 2018

Google Inbox spoofing vulnerability lets attackers fake email recipients

Be careful what you click on. Eli Grey is a security researcher who has found a vulnerability in Google Inbox allowing for an attacker to create a mailto link that spoofs the recipient of an email. He found this vulnerability on May 4th, 2017, almost a year ago, and reported it to Google privately. After following up on March 16th of this year and the bug still being unresolved, he decided to publicly disclose this vulnerability.

What happens is that generally, mailto links are used to automatically populate the content of an email to save users some time. We use a mailto link on our tip page to make it easier for users to send us a tip. Email clients such as Gmail or Google Inbox are supposed to parse these links and pre-compose the email draft with whatever information is present in the mailto link. For example, you could click a link to send PayPal customer support an email and it would show support@paypal.com in the outgoing recipient box.

What Eli Grey discovered is that you can construct a mailto link to spoof the email recipient in Google Inbox. This means that even though the draft email might say you are sending an email to support@paypal.com, it could be sending it to an entirely different address. The only way you would know is if you inspected the mailto link or expanded the "to" field before sending the email.

As an example, this mailto link will place support@paypal.com in the "to" box but if you actually send an email here it will instead go to scammer@phishing.fakewebsite (obviously not a real email address.) Fortunately, this vulnerability doesn't seem to affect Gmail or Outlook, so if you use those services you don't have to worry.

Google Inbox Spoofing Google Inbox Spoofing

Regardless, this is a prime example of why you should always inspect the links to anything you are about to click. Last year, a very clever Google Docs phishing scheme rocked the world because of how convincing it was to even most observant technologically savvy users. Avoiding a repeat of these schemes requires being vigilant, and never becoming too comfortable when it comes to your own personal security.



from xda-developers https://ift.tt/2HyQJ0t
via IFTTT

No comments:

Post a Comment