A Closer Look at a Vulnerability in Gmail

Vulnerabilities in Gmail Gmail follows a strict rule that doesn’t allow its users to have their first or the last name contain the term Gmail or Google. That is, while signing up for a new Gmail account, the users cannot choose a first or last name that contains the term Gmail or Google.

You can see this from the below snapshot:

Google or Gmail cannot be used as first or last name

This rule is implemented by Gmail for obvious security reasons. If the users are allowed to keep their first or the last name that contains the term Gmail or Google, then it is possible to easily impersonate the identity of Gmail (or Gmail Team) and engage themselves in phishing or social engineering attacks on the innocent users. This can be done by simply choosing the first and last name with the following combinations:

First Name Last Name

Gmail Team

Google Team

Gmail Password Assistance

From the above snapshot we can see that, Gmail has made a good move in stopping the users from abusing its services. However this move isn’t just enough to prevent the malicious users from impersonating the Gmail’s identity. This is because, Gmail has a small vulnerability that can be easily exploited so that, the users can still have their name contain the terms Gmail or Google. You may wonder how to do this. But it is very simple:

Log in to your Gmail account and click on Settings.
Select Accounts tab.
Click on edit info.
In the Name field, select the second radio button and enter the name of your choice. Click on Save Changes and you’re done!

Now, Gmail accepts any name even if it contains the term Google or Gmail. You can see from the below snapshot:

Vulnerability in Gmail

Allowing the users to have their names contain the terms Gmail or Google is a serious vulnerability even though it doesn’t seem to be a major one. This is because, a hacker or a malicious attacker can easily exploit this flaw and send phishing emails to other Gmail users asking for sensitive information such as their passwords. Most of the users don’t even hesitate to send their passwords as they believe that they are sending it to the Gmail Team (or someone authorized). But, in reality they are sending it to an attacker who uses these information to seek personal benefits.

So, the bottom line is, if you get any emails that appears to have come from the Gmail Team or similar, don’t trust them! Anyone can send such emails to fool you and take away your personal details. Hope that Gmail will fix this vulnerability as soon as possible to avoid any disasters.

RECENT
POPULAR

Hack Facebook Password: Facebook Hacking Explained

Need to hack someone’s Facebook password? Well, you’re at the right place! In this ...
Porn Blocker: How to Block Porn Off Your Computer

Due to a rapid increase in the number of porn websites across the Internet, ...
How to Use Google for Hacking

Google serves almost 80 percent of all the search queries on the Internet, proving itself ...
How to Send Spoofed Emails Anonymously

Most of us are very curious to know a method to send spoofed emails to ...
How to Hack a Yahoo Password

Every day, a lot of people contact me about suspecting their boyfriend or girlfriend of cheating and ...

How to Bypass Right Click Block on Any Website

You might remember an experience where you tried to right-click on a web page ...
Turn Your Webcam into a Spy Cam for Free

You can now easily monitor your room, office or workplace for activities going on ...
What is Doxing and How it is Done?

In the modern world, Internet has become a wonderful place to gain knowledge, exchange ideas, ...
Beware of Password Hacking Scams and Fake Tutorials

In the era of Internet, emails and social networking have taken a prominent role ...
How to Know if Someone Accessed My Computer When I am Away

Do you have a feeling that someone tried to access your computer when you ...

22 Comments

Anonymous
April 10, 2009 at 10:22 AM

I cannot believe google overlooked the change your name function in the account settings. That is fantastic, there must be tons of holes in gmail. It definitely still works by the way

Reply
Slim0123
April 10, 2009 at 11:54 AM

Every software or service in this Computer Field is in its Beta stage, some admit it is and some don’t. Just give me name of any soft or service, and I’ll tell you why it is still in Beta stage…..

Reply

Srikanth
April 11, 2009 at 12:13 AM

@ Slim0123

What you are saying is correct. Here I am just trying to show one small reason for that…..

Reply

Anonymous
April 10, 2009 at 12:06 PM

I am just going to complain google about it. BYE BYE!

Reply
rizki wicaksono
April 10, 2009 at 1:43 PM

i think that is not vulnerability. That name only show at “From:” header that indeed can be easily spoofed (thanks to smtp), BUT you can’t change sender email address when sending email using gmail. So, the “From:” header will be something like:
From: Spoofed Name .

when you use smtp over SSL (authenticated mode) to send email using gmail mail server, you also can’t change sender email address ( please read http://www.ilmuhacking.com/how-to/sending-email-via-gmail-smtp-server-using-openssl/ ). Gmail will override “from header”.

Actually you can change sender email address to include gmail keyword when you use gmail smtp server in non-authenticated mode, but the consequences is: 1. your email will look not legitimate because no DKIM header found, 2. your email will goes to Spam folder,
3. last, in non-authenticated mode you can only send email to google network email (@gmail and @other google apps domain)

Reply

Srikanth
April 11, 2009 at 12:10 AM

@ rizki wicaksono

I am sorry, I think you have not got what I am saying. What I meant to say is, Gmail can be tricked to include the term “Gmail” or “Google” in the “From:” address field while sending outgoing emails. This will make the receivers of the email to believe that it has been sent from Gmail/Google team. This works both in authenticated(SSL) and non-SSL modes. I have tested this before I published this post. I am not trying to say that Gmail allows the change of but it allows the change of “From:” field to include the terms “Gmail” or “Google”. I think you have got what I am saying…

Of course emails can be spoofed to contain any data in the header. But this is out of scope of this post. My point is to say that, Gmail makes it easy for the attackers to spoof the “From:” field to make it look like it has come from Gmail/Google.

Reply

maqsood
April 10, 2009 at 4:20 PM

hello dear i am telling you that how to hack in college and how to make makamaka

Reply
Sushant
April 10, 2009 at 7:32 PM

Srikanth u rock..

Reply
boss
April 10, 2009 at 10:01 PM

its gr8 fact some1 shud tell google….

Blunder if they wouldn’t know this….

Reply
anonymus
April 11, 2009 at 9:02 AM

srikanth can you hack some passwords for me. contact me timodwyer14@gmail.com

Reply
sayraf77
April 16, 2009 at 12:50 AM

hi srikanth,
thanks for all the help and tricks, most of the articles where of help , started recently to check out your web and already learned so many things ,

i got a problem with my system . when i shutdown my system, it doesn’t shutdown so i manually switsh it off, can you suggest me why this happens and how can i fix it.

also if im not burdening you, i recently, accidently deleted partition and all my data got lost, i also rearranged partition what are the chances of retreiving the data and how can i retreive it. please help me in a step by step procedure ,

thanks a TRILLION.

Reply

Srikanth
April 18, 2009 at 3:47 PM

@ sayraf77

You need to check your PC for hardware problems. This happens when there is a wrong connection of wires in motherboard. This is a minor problem and can be solved free of cost.

And regarding data recovery you can serach for “data recovery softwares” on Google

Reply

sayraf77
April 17, 2009 at 7:19 PM

hi srikanth,
i had posted a comment regarding system shutdown , etc and was looking for your repley, now theirs no reply nor my comment . why so did i ask anything wrong?
thanks

Reply
sayraf77
April 23, 2009 at 1:13 PM

thanks for the reply,
but the sugestion was not specific,
anyways thanks

Reply
avnkailash
July 6, 2009 at 8:25 PM

If we click on the “Show details” button in any message we can get the real details of the sender.

Reply
Vladimir Klimsa
September 18, 2009 at 2:54 AM

Thanks for sharing yout learning. I use post from your site and publish article about email security. Vladimir

Reply
Don
January 1, 2010 at 7:56 AM

Its fantastic but we can change only username and d email ID still goes the reall on.
is there any way to change the ID

Reply
radhika
February 4, 2010 at 10:39 AM

i want to know if sumone have changed my password how to get my id back i mean sumone has hacked my acc i want it back .there is no other way to get my id back??

Reply

Srikanth
February 12, 2010 at 1:53 PM

@ Radhika

Refer the following link

How to Protect an Email Account from being Hacked

Reply

dzakwan
March 2, 2010 at 1:45 PM

thanks for sharing this very helpfull

Reply
10 minute solution dvd
April 29, 2010 at 12:59 PM

Great post. There is good deal of great information right, though I did want to allow a person understand something – I am running Fedora utilizing the latest experiment with of Firefox, and the appear and feel associated with the blog is kind of bizarre for me. I read the articles, but the navigation doesn’t function therefore well.

Reply
CyberKicks
March 28, 2011 at 12:09 AM

hmmmm Great

Reply

Click here to cancel reply.

A Closer Look at a Vulnerability in Gmail

GET UPDATES VIA EMAIL

Go Hacking on Facebook

CATEGORIES

Go Hacking on Google+

22 Comments

Anonymous

Srikanth

Anonymous

Srikanth

Sushant

boss

anonymus

sayraf77

Srikanth

sayraf77

sayraf77

Don

radhika

Srikanth

Leave A Reply

WHO IS BEHIND GO HACKING

Recent Comments

Blogroll