Two Flaws in Gmail Could be used in Phishing Attacks

Software Developer Tim Cotten found two bugs in Gmail that could help attackers craft convincing phishing emails. The first, disclosed on November 13, allows an actor to place an arbitrary email address in the sender field. This could be used in email spoofing attacks to convince the end user that an email is coming from a trusted source. The second, disclosed on November 16, allows an actor to replace some text with a tag that causes the user interface to leave a blank space where the sender’s email address should be. This could be used to send phony account alerts to end users, prompting them to click on a malicious link or attachment. The NJCCIC recommends Gmail users review Cotten’s blog posts on these flaws, available here and here, and educate end users on this and similar phishing threats, reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails, including those from known senders.

AdvisoryNJCCICgmail, phishing, email