Home » GOOGLE HACKS, HACKING AND SECURITY NEWS, PC SECURITY

A Closer Look at a Vulnerability in Gmail

Submitted by Srikanth on Thursday, 9 April 200921 Comments

Gmail is one of the major webmail service provider across the globe. But as we all know Gmail still carries that 4 letter word BETA. Sometimes we may wonder, why Gmail is still in the testing stage even after years of it’s emergence. Here is one small reason for that. 

Gmail follows a strict rule that doesn’t allow it’s users to have their first or the last name contain the term Gmail or Google. That is, while signing up for a new Gmail account the users cannot choose a first or last name that contains the term Gmail or Google. You can see this from the below snapshot.

Google or Gmail cannot be used as first or last name

This rule is implemented by Gmail for obvious reasons, because if the users are allowed to keep their first or the last name that contains the term Gmail or Google, then it is possible to easily impersonate the identity of Gmail (or Gmail Team) and engage themselves in phising or social engineering attacks on the innocent users. This can be done by simply choosing the first and last name with the following combinations.

First Name        Last Name

Gmail                       Team

Google                     Team

Gmail                       Password Assistance 

From the above snapshot we can see that, Gmail has made a good move in stopping the users from abusing it’s services. However this move isn’t just enough to prevent the malicious users from impersonating the Gmail’s identity. Because Gmail has a small vulnerability that can be exploited so that the users can still have their name contain the terms Gmail or Google. You may wonder how to do this. But it’s very simple.

1. Login to your Gmail account and click on Settings.

2. Select Accounts tab

3. Click on edit info

4. In the Name field, select the second radio button and enter the name of your choice. Click on Save Changes and you’re done!

Now, Gmail accepts any name even if it contains the term Google or Gmail. You can see from the below snapshot

gmailhack

Allowing the users to have their names contain the terms Gmail or Google is a serious vulnerability even though it doesn’t seem to be a major one. This is because a hacker or a malicious attacker can easily exploit this flaw and send phishing emails to other Gmail users asking for sensitive information such as their passwords. Most of the users don’t even hesitate to send their passwords since they believe that they are sending it to Gmail Team (or someone authorized). But in reality they are sending it to an attacker who uses these information to seek personal benefits.

So the bottomline is, if you get any emails that appears to have come from the Gmail Team or similar, don’t trust them! Anyone can send such emails to fool you and take away your personal details. Hope that Gmail will fix this vulnerability as soon as possible to avoid any disasters.

Popularity: 3% [?]

Visitors who read this post, also read:

  1. 12 Tips to Maintain a Virus Free Computer


  By using/following this site you agree to our Legal Disclaimer

Subscribe to GoHacking.Com


Enjoyed this article?
Subscribe to GoHacking.Com and get daily updates in your email for free

21 Comments »

  • Anonymous said:

    I cannot believe google overlooked the change your name function in the account settings. That is fantastic, there must be tons of holes in gmail. It definitely still works by the way

    - 10 April 2009 at 10:22 AM
  • Slim0123 said:

    Every software or service in this Computer Field is in its Beta stage, some admit it is and some don’t. Just give me name of any soft or service, and I’ll tell you why it is still in Beta stage…..

    - 10 April 2009 at 11:54 AM
  • Anonymous said:

    I am just going to complain google about it. BYE BYE!

    - 10 April 2009 at 12:06 PM
  • rizki wicaksono said:

    i think that is not vulnerability. That name only show at “From:” header that indeed can be easily spoofed (thanks to smtp), BUT you can’t change sender email address when sending email using gmail. So, the “From:” header will be something like:
    From: Spoofed Name .

    when you use smtp over SSL (authenticated mode) to send email using gmail mail server, you also can’t change sender email address ( please read http://www.ilmuhacking.com/how-to/sending-email-via-gmail-smtp-server-using-openssl/ ). Gmail will override “from header”.

    Actually you can change sender email address to include gmail keyword when you use gmail smtp server in non-authenticated mode, but the consequences is: 1. your email will look not legitimate because no DKIM header found, 2. your email will goes to Spam folder,
    3. last, in non-authenticated mode you can only send email to google network email (@gmail and @other google apps domain)

    - 10 April 2009 at 1:43 PM
  • maqsood said:

    hello dear i am telling you that how to hack in college and how to make makamaka

    - 10 April 2009 at 4:20 PM
  • Sushant said:

    Srikanth u rock..

    - 10 April 2009 at 7:32 PM
  • boss said:

    its gr8 fact some1 shud tell google….

    Blunder if they wouldn’t know this….

    - 10 April 2009 at 10:01 PM
  • Srikanth (author) said:

    @ rizki wicaksono

    I am sorry, I think you have not got what I am saying. What I meant to say is, Gmail can be tricked to include the term “Gmail” or “Google” in the “From:” address field while sending outgoing emails. This will make the receivers of the email to believe that it has been sent from Gmail/Google team. This works both in authenticated(SSL) and non-SSL modes. I have tested this before I published this post. I am not trying to say that Gmail allows the change of but it allows the change of “From:” field to include the terms “Gmail” or “Google”. I think you have got what I am saying…

    Of course emails can be spoofed to contain any data in the header. But this is out of scope of this post. My point is to say that, Gmail makes it easy for the attackers to spoof the “From:” field to make it look like it has come from Gmail/Google.

    - 11 April 2009 at 12:10 AM
  • Srikanth (author) said:

    @ Slim0123

    What you are saying is correct. Here I am just trying to show one small reason for that….. :)

    - 11 April 2009 at 12:13 AM
  • anonymus said:

    srikanth can you hack some passwords for me. contact me timodwyer14@gmail.com

    - 11 April 2009 at 9:02 AM
  • sayraf77 said:

    hi srikanth,
    thanks for all the help and tricks, most of the articles where of help , started recently to check out your web and already learned so many things ,

    i got a problem with my system . when i shutdown my system, it doesn’t shutdown so i manually switsh it off, can you suggest me why this happens and how can i fix it.

    also if im not burdening you, i recently, accidently deleted partition and all my data got lost, i also rearranged partition what are the chances of retreiving the data and how can i retreive it. please help me in a step by step procedure ,

    thanks a TRILLION.

    - 16 April 2009 at 12:50 AM
  • sayraf77 said:

    hi srikanth,
    i had posted a comment regarding system shutdown , etc and was looking for your repley, now theirs no reply nor my comment . why so did i ask anything wrong?
    thanks

    - 17 April 2009 at 7:19 PM
  • Srikanth (author) said:

    @ sayraf77

    You need to check your PC for hardware problems. This happens when there is a wrong connection of wires in motherboard. This is a minor problem and can be solved free of cost.

    And regarding data recovery you can serach for “data recovery softwares” on Google

    - 18 April 2009 at 3:47 PM
  • sayraf77 said:

    thanks for the reply,
    but the sugestion was not specific,
    anyways thanks

    - 23 April 2009 at 1:13 PM
  • avnkailash said:

    If we click on the “Show details” button in any message we can get the real details of the sender.

    - 6 July 2009 at 8:25 PM
  • Vladimir Klimsa said:

    Thanks for sharing yout learning. I use post from your site and publish article about email security. Vladimir

    - 18 September 2009 at 2:54 AM
  • Don said:

    Its fantastic but we can change only username and d email ID still goes the reall on.
    is there any way to change the ID

    - 1 January 2010 at 7:56 AM
  • radhika said:

    i want to know if sumone have changed my password how to get my id back i mean sumone has hacked my acc i want it back .there is no other way to get my id back??

    - 4 February 2010 at 10:39 AM
  • Srikanth (author) said:

    @ Radhika

    Refer the following link

    How to Protect an Email Account from being Hacked

    - 12 February 2010 at 1:53 PM
  • dzakwan said:

    thanks for sharing this very helpfull

    - 2 March 2010 at 1:45 PM
  • 10 minute solution dvd said:

    Great post. There is good deal of great information right, though I did want to allow a person understand something – I am running Fedora utilizing the latest experiment with of Firefox, and the appear and feel associated with the blog is kind of bizarre for me. I read the articles, but the navigation doesn’t function therefore well.

    - 29 April 2010 at 12:59 PM

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.