Monday 14 July 2014

A Closer Look at a Vulnerability in Gmail

Vulnerabilities in GmailGmail follows a strict rule that doesn’t allow its users to have their first or the last name contain the term Gmail or Google. That is, while signing up for anew Gmail account, the users cannot choose a first or last name that contains the term Gmail or Google.
You can see this from the below snapshot:
Google or Gmail cannot be used as first or last name
This rule is implemented by Gmail for obvious security reasons. If the users are allowed to keep their first or the last name that contains the term Gmail or Google, then it is possible to easily impersonate the identity of Gmail (or Gmail Team) and engage themselves in phishing or social engineering attackson the innocent users. This can be done by simply choosing the first and last name with the following combinations:
First Name        Last Name
Gmail                       Team
Google                     Team
Gmail                       Password Assistance
From the above snapshot we can see that, Gmail has made a good move in stopping the users from abusing its services. However this move isn’t just enough to prevent the malicious users from impersonating the Gmail’s identity. This is because, Gmail has a small vulnerability that can be easily exploited so that, the users can still have their name contain the terms Gmail or Google. You may wonder how to do this. But it is very simple:
  1. Log in to your Gmail account and click on Settings.
  2. Select Accounts tab.
  3. Click on edit info.
  4. In the Name field, select the second radio button and enter the name of your choice. Click onSave Changes and you’re done!
Now, Gmail accepts any name even if it contains the term Google or Gmail. You can see from the below snapshot:
Vulnerability in Gmail
Allowing the users to have their names contain the terms Gmail or Google is a serious vulnerability even though it doesn’t seem to be a major one. This is because, a hacker or a malicious attacker can easily exploit this flaw and send phishing emails to other Gmail users asking for sensitive information such as their passwords. Most of the users don’t even hesitate to send their passwords as they believe that they are sending it to the Gmail Team (or someone authorized). But, in reality they are sending it to an attacker who uses these information to seek personal benefits.
So, the bottom line is, if you get any emails that appears to have come from the Gmail Team or similar, don’t trust them! Anyone can send such emails to fool you and take away your personal details. Hope that Gmail will fix this vulnerability as soon as possible to avoid any disasters.

No comments:

Post a Comment