A Closer Look at a Vulnerability in Gmail

Vulnerabilities in GmailGmail follows a strict rule that doesn’t allow its users to have their first or the last name contain the term Gmail or Google. That is, while signing up for a new Gmail account, the users cannot choose a first or last name that contains the term Gmail or Google.

You can see this from the below snapshot:

Google or Gmail cannot be used as first or last name

This rule is implemented by Gmail for obvious security reasons. If the users are allowed to keep their first or the last name that contains the term Gmail or Google, then it is possible to easily impersonate the identity of Gmail (or Gmail Team) and engage themselves in phishing or social engineering attacks on the innocent users. This can be done by simply choosing the first and last name with the following combinations:

First Name        Last Name

Gmail                       Team

Google                     Team

Gmail                       Password Assistance

From the above snapshot we can see that, Gmail has made a good move in stopping the users from abusing its services. However this move isn’t just enough to prevent the malicious users from impersonating the Gmail’s identity. This is because, Gmail has a small vulnerability that can be easily exploited so that, the users can still have their name contain the terms Gmail or Google. You may wonder how to do this. But it is very simple:

  1. Log in to your Gmail account and click on Settings.

  2. Select Accounts tab.

  3. Click on edit info.

  4. In the Name field, select the second radio button and enter the name of your choice. Click on Save Changes and you’re done!

Now, Gmail accepts any name even if it contains the term Google or Gmail. You can see from the below snapshot:

Vulnerability in Gmail

Allowing the users to have their names contain the terms Gmail or Google is a serious vulnerability even though it doesn’t seem to be a major one. This is because, a hacker or a malicious attacker can easily exploit this flaw and send phishing emails to other Gmail users asking for sensitive information such as their passwords. Most of the users don’t even hesitate to send their passwords as they believe that they are sending it to the Gmail Team (or someone authorized). But, in reality they are sending it to an attacker who uses these information to seek personal benefits.

So, the bottom line is, if you get any emails that appears to have come from the Gmail Team or similar, don’t trust them! Anyone can send such emails to fool you and take away your personal details. Hope that Gmail will fix this vulnerability as soon as possible to avoid any disasters.

22 Comments

  1. Anonymous
    April 10, 2009 at 10:22 AM

    I cannot believe google overlooked the change your name function in the account settings. That is fantastic, there must be tons of holes in gmail. It definitely still works by the way


  2. Anonymous
    April 10, 2009 at 12:06 PM

    I am just going to complain google about it. BYE BYE!


  3. Slim0123
    April 10, 2009 at 11:54 AM

    Every software or service in this Computer Field is in its Beta stage, some admit it is and some don’t. Just give me name of any soft or service, and I’ll tell you why it is still in Beta stage…..


    • Srikanth
      April 11, 2009 at 12:13 AM

      @ Slim0123

      What you are saying is correct. Here I am just trying to show one small reason for that….. :)


  4. rizki wicaksono
    April 10, 2009 at 1:43 PM

    i think that is not vulnerability. That name only show at “From:” header that indeed can be easily spoofed (thanks to smtp), BUT you can’t change sender email address when sending email using gmail. So, the “From:” header will be something like:
    From: Spoofed Name .

    when you use smtp over SSL (authenticated mode) to send email using gmail mail server, you also can’t change sender email address ( please read http://www.ilmuhacking.com/how-to/sending-email-via-gmail-smtp-server-using-openssl/ ). Gmail will override “from header”.

    Actually you can change sender email address to include gmail keyword when you use gmail smtp server in non-authenticated mode, but the consequences is: 1. your email will look not legitimate because no DKIM header found, 2. your email will goes to Spam folder,
    3. last, in non-authenticated mode you can only send email to google network email (@gmail and @other google apps domain)


    • Srikanth
      April 11, 2009 at 12:10 AM

      @ rizki wicaksono

      I am sorry, I think you have not got what I am saying. What I meant to say is, Gmail can be tricked to include the term “Gmail” or “Google” in the “From:” address field while sending outgoing emails. This will make the receivers of the email to believe that it has been sent from Gmail/Google team. This works both in authenticated(SSL) and non-SSL modes. I have tested this before I published this post. I am not trying to say that Gmail allows the change of but it allows the change of “From:” field to include the terms “Gmail” or “Google”. I think you have got what I am saying…

      Of course emails can be spoofed to contain any data in the header. But this is out of scope of this post. My point is to say that, Gmail makes it easy for the attackers to spoof the “From:” field to make it look like it has come from Gmail/Google.


  5. maqsood
    April 10, 2009 at 4:20 PM

    hello dear i am telling you that how to hack in college and how to make makamaka


  6. Sushant
    April 10, 2009 at 7:32 PM

    Srikanth u rock..


  7. boss
    April 10, 2009 at 10:01 PM

    its gr8 fact some1 shud tell google….

    Blunder if they wouldn’t know this….


  8. anonymus
    April 11, 2009 at 9:02 AM

    srikanth can you hack some passwords for me. contact me timodwyer14@gmail.com


  9. sayraf77
    April 16, 2009 at 12:50 AM

    hi srikanth,
    thanks for all the help and tricks, most of the articles where of help , started recently to check out your web and already learned so many things ,

    i got a problem with my system . when i shutdown my system, it doesn’t shutdown so i manually switsh it off, can you suggest me why this happens and how can i fix it.

    also if im not burdening you, i recently, accidently deleted partition and all my data got lost, i also rearranged partition what are the chances of retreiving the data and how can i retreive it. please help me in a step by step procedure ,

    thanks a TRILLION.


    • Srikanth
      April 18, 2009 at 3:47 PM

      @ sayraf77

      You need to check your PC for hardware problems. This happens when there is a wrong connection of wires in motherboard. This is a minor problem and can be solved free of cost.

      And regarding data recovery you can serach for “data recovery softwares” on Google


  10. sayraf77
    April 17, 2009 at 7:19 PM

    hi srikanth,
    i had posted a comment regarding system shutdown , etc and was looking for your repley, now theirs no reply nor my comment . why so did i ask anything wrong?
    thanks


  11. sayraf77
    April 23, 2009 at 1:13 PM

    thanks for the reply,
    but the sugestion was not specific,
    anyways thanks


  12. avnkailash
    July 6, 2009 at 8:25 PM

    If we click on the “Show details” button in any message we can get the real details of the sender.


  13. Vladimir Klimsa
    September 18, 2009 at 2:54 AM

    Thanks for sharing yout learning. I use post from your site and publish article about email security. Vladimir


  14. Don
    January 1, 2010 at 7:56 AM

    Its fantastic but we can change only username and d email ID still goes the reall on.
    is there any way to change the ID


  15. radhika
    February 4, 2010 at 10:39 AM

    i want to know if sumone have changed my password how to get my id back i mean sumone has hacked my acc i want it back .there is no other way to get my id back??


  16. dzakwan
    March 2, 2010 at 1:45 PM

    thanks for sharing this very helpfull


  17. 10 minute solution dvd
    April 29, 2010 at 12:59 PM

    Great post. There is good deal of great information right, though I did want to allow a person understand something – I am running Fedora utilizing the latest experiment with of Firefox, and the appear and feel associated with the blog is kind of bizarre for me. I read the articles, but the navigation doesn’t function therefore well.


  18. CyberKicks
    March 28, 2011 at 12:09 AM

    hmmmm Great


Leave A Reply