A bug in Gmail could be exploited by attackers to carry out phishing attacks, the flaw ties the way Gmail automatically files messages into the “Sent” folder.

The bug that was discovered by software developer Tim Cotten, it could be exploited by an attacker to place emails into a person’s “Sent” folder, even if the person has never sent the messages.

Gmail moves an email into the Sent folder based on the address in the “from” field.

An attacker could exploit the bug by sending an email to a target, which has been specially crafted to have that target’s email address in the “from” field.

Gmail will move the email to both the target’s inbox and Sent folder.

“So it appears that by structuring the from field to contain the recipient’s address along with other text, the GMail app reads the from field for filtering/inbox organization purposes and sorts the email as though it were sent from [the recipient], despite it clearly also having the originating mailbox as [another address],” wrote the researcher.

This issue could be exploited by hackers in an attack scenario that sees it first sending a spam emails that is moved in the inbox of the target, then he will send out a follow-up email asking the victim to look back at previous messages for some reason and trick them into open something malicious.

“Imagine, for instance, the scenario where a custom email could be crafted that mimics previous emails the sender has legitimately sent out containing various links.” wrote Cotten.

“A person might, when wanting to remember what the links were, go back into their sent folder to find an example: disaster!

Don’t get me wrong, the user should still verify the details at the top of the email and might catch on that something is odd —but we know it only takes a small percentage of due-diligence failure to have a big environment effect.”

Cotten reported the findings to Google, he also cited another bug in Gmail filtering that was reported by “tekstar”:

“For example imagine Alice emails Bob and Chad, and in the ‘to:’ field for Bob she gives Bob a different name, like ‘Brad’ [but the address is still <bob@bob.com>],” tekstar said. “If Chad replies to this email, Bob will now be in his contact list as Brad. The email is still bob@bob.com but you can see how it could be malicious, or at least fodder for fun pranks.”

Pierluigi Paganini