Gmail Android APP vulnerability allows anyone to send fraudulent mail-vulnerability warning-the black bar safety net

2015-11-19T00:00:00
ID MYHACK58:62201569153
Type myhack58
Reporter 佚名
Modified 2015-11-19T00:00:00

Description

! Security researcher Yan Zhu in the Gmail Android APP and found an interesting vulnerability that allows anyone to send an e-mail, leaving the e-mail looks to be other people sent, which is likely for phishers have opened a door for malicious activity. Gmail Android APP the presence of mail fraud vulnerability This activity we call e-mail spoofing—tampering with the email header, so that the e-mail looks to be coming from the other person, rather than the actual sender. Generally speaking, in order to tamper with the email address, the attacker needs to: 1, A working SMTP Simple Mail Transfer Protocol server to send e-mail 2, a mail transmission software However, an independent security researcher Yan Zhu on the official Gmail Android APP discovered a similar vulnerability that allows to hide her real email address, and in the account settings to change her display name so that the recipient will not be able to know the real sender. How by Gmail Android APP sending a fraud mail? In order to demonstrate her discovery, Zhu by changing her display name yan""security@google.com"to add a quote to the other person to send an email. You can see below Zhu on her Twitter on the published screenshots. ! Zhu to the Motherboard explains: “The extra quotation marks in the display name of the trigger Gmail application in a parsing error, resulting in a real e-mail is not visible.” Once the recipient receives the email, the mail address will induce the receiver to believe the message sent from a valid Gmail security team, but in fact is not so. Google: this defect is not a security vulnerability In 1 0 the end of the month, the Zhu to the Google security team submitted the vulnerability, but the other negates her vulnerability report, and explained that this bug is not a security vulnerability. ! Although email spoofing can be a legitimate use, but because the falsification of an email address very easily, so spammers and phishers will use it to harm the public or institutions. How to protect yourself from mail fraud So, if you want to protect yourself from deception information of the interference, then you can follow the following method to achieve: 1, Open the spam filter—almost every email service provides a spam filter and trash, they can be a fraud mail removed to your spam list. 2, learn to read email headers and tracking the IP address—tracking spam sources is a good practice. When you receive a suspicious e-mail, open the message header and check the sender's IP address, whether with the same person before the e-mail address is the same. 3, never click on suspicious links or downloading unfamiliar attachments—to the attention you received in the mail, don't click on the link in the email or download attachment. If you receive a display for Bank or other sites to send mail directly from your browser access the banks official website or other website, and login to your account to view they want to show you the content. 4, always keep the computer on anti-virus software is up to date.