Technology

Gmail Bug Lets You Impersonate Another Person’s Account

Although it might be something that most people want to do on a regular basis, the bug allows Gmail users to send emails that appear to originate from an account that is not their own.

The bug is amazingly easy to activate and was discovered by independent security researcher Yan Zhu. Zhu found that by simply changing your display name in the Gmail app you can change the address from which you send emails.

Gmail Bug Lets You Impersonate Another Person's Account

Security researcher finds simple Gmail bug

Zhu spoke to Motherboard about the bug, revealing how she changed her display name to “”security@google.com” with two sets of quotation marks at the beginning. The extra set of quotation marks are in fact what conceals your true email address, and in Zhu’s case it looked as though the email was sent by Google’s security team.

Obviously this could fool other Gmail users into thinking that the email was trustworthy if it asked for sensitive information and would be incredibly useful for anyone carrying out phishing attacks. Otherwise it could also be used to impersonate someone else in order to gain access to information that the target might not otherwise send to you.

Unfortunately for those concerned by internet security, i.e. almost everyone, Google apparently does not think the bug is a big deal. Zhu told the tech giant about the bug in late October but it informed her it did not constitute a security vulnerability.

Google apparently unconcerned by flaw

Why are Google being so relaxed about what sounds like a serious threat? As Motherboard says “it’s always been possible to spoof email envelope addresses, but spoofed emails now usually get caught by spam filters or get displayed with a warning in Gmail… with this bug, a hacker can get around these protections.”

If the bug lets people bypass common security filters, why will Google not fix it? It seems amazing that such a simple but important bug went undetected for so long.

Perhaps the company will get around to it at some point. In the meantime Gmail users should be extra careful with emails asking for sensitive information.