Yan Zhu, a Technology Fellow at the Electronic Frontier Foundation, has unearthed a flaw in the Gmail Android app that can lead to very effective phishing attacks.
The flaw is easy to exploit: the attacker has to simply change his or her display name in the email account settings.
As an example, in the email above, Zhu showed how easy it would be to impersonate an employee of Google’s security team.
Instead of her own email address, the fake one was shown to the recipient because Zhu changed the display name to yan “”firstname.lastname@example.org”. Notice the extra quotation mark, which triggers a parsing bug in the Gmail app, and the real email address to be effectively invisible, as Zhu explained to Motherboard.
What’s more, she says, such an attack would pass the protections Google put into place to spot phishing emails.
But when she shared her discovery with Google, the company replied by saying that this was not a security issue. So, she shared the existence of the bug on Twitter, and didn’t (as some of her followers suggested) try the trick on Google employees to prove the point.