Ghost Emails: Hacking Gmail’s UX to Hide the Sender

Faking the Appearance of a System Message in Gmail

This article complements my previous identification of flaws in the way Gmail’s UX interprets the From field in email headers. By tailoring a malicious input in a certain way the Gmail app leaves the sender display completely blank both in the list view and in the detailed email view. This could be further weaponized for phishing attacks based on faking the appearance of official warnings or system messages.

Updated 2018–12–11: Google has resolved this issue and issued me a $1,337 bughunter reward through Google’s Vulnerability Reward Program. (I appreciated the “Leet” reference!)