Independent security researcher Yan Zhu has uncovered a bug in the Gmail Android app that lets anyone spoof their email address.
The bug manifests itself after the user changes their display name. Entering something like the text below allows anyone to send emails spoofed to look like they were coming from someone else.
After this, the user can enter any email address they like, and when they send subsequent messages, the email will look like it is coming from the fake email.
Yan reported the issue to Google, but the company has not fixed it yet, declining to classify it as a security bug.
The explanation is strange since the entire DMARC standard was specifically put in place to avoid email spoofing, one of the main channels of propagation for phishing attacks. Google is one of the main driving forces behind DMARC being implemented in modern email services.
While DMARC and other email security protocols can detect various email spoofing techniques and block spam or phishing attacks before reaching users, Yan's tests have shown that her bug is currently undetectable.
This issue only affects the Gmail app for Android.
no dkim validation error, etc. anyway i am prolly gonna stop bugging them. pic.twitter.com/2VmEk8u4kB
— yan⚠ (@bcrypt) November 11, 2015
@bcrypt Send the email from Sergey or Larry and tell them it's a high priority bug that they need to fix immediately. Problem solved.
— Phred (@fearphage) November 11, 2015