Recently I came across a post in /r/Android linking to a blog made by Eli Grey (link), a security researcher, who found a design flaw in Google Inbox allowing for an attacker/phisher to create a mailto link that spoofs the recipient of an email.

Grey explains that the spoofing happens when the composition box hides the email addresses of the recipients without providing a way to look at the actual email address you are emailing.

For those of you who are unfamiliar, mailto links are used in HTML to produce a link on websites that will open your default mail app so you can compose an email to an email address. In iOS, clicking a "mailto:" link will open the Mail Compose UI on top of whatever app you have open. On Macs, the default option is Mail, but this can be changed to other clients like Airmail ($9.99) or Newton Mail (Free, IAP for $50)

For example, if I type my email, exjrreddit@icloud.com, your OS/browser might not make it clickable. In this case, to email me you would need to select, copy and then paste it to your email client. By adding the mailto: link, you won't need to do the aforementioned steps. A mailto: link looks like this Inset text here (Without the single quote marks)

The bug/vulnerability/bad design here happens when someone manipulates the mailto link to show a different string (name, email address, phone number, etc) in your "To: field, but having another email behind that displayed string. In the example Grey used, mailto:"support@paypal.com"<scam@phisher.example>, the email address you will be emailing is "scam@phisher.example" but the iOS client will show "support@paypal.com"

Double tapping on the person you are emailing will open a Contact View UI where you will see that "support@paypal.com" is actually set at the name of the "contact" you are emailing. The actual email address will be further down.

Try it yourself with this link

Grey found this vulnerabilty to work on Google Inbox. The folks at XDA tested this with Gmail and Outlook and found that these email clients aren't affected by this the vulnerability.

The Mail MacOS app isn't affected by this as it shows you the display string + email address in the "To:" field

I tried this on Newton (my default email client on the Mac), and I found out that Newton puts quotation marks (") around the displayed string, and clicking on it will display the email address you are actually emailing.

In the case of Airmail, it will not show you the display string, but it will show you the actual email you are writing to.