Beware people! A bug in Gmail’s Android app would allow people with bad intention to hide their identity and impersonate other people and organizations.
Yan Zhu, a security researcher, discovered the bug in the end of October which Google has said to have fixed.
In order to stay safe, Gmail users should study the email address carefully. Don’t hit reply to ask for verification. Walk over and have a chat, or send a note using what you know is their real email address.
Email spoofing is not a new thing which allowed the hackers sending an email which looks like from another account by hiding their own addresses.
As per the researcher, the sender’s real email address would be hidden, and the receiver wouldn’t be able to reveal it by even by opening the email and expanding the contents.
Zhu told Motherboard that she had changed her display name to yan “security@google.com” with an extra quotation mark.
She shared a screenshot of the mail with the Motherboard.
According to Motherboard, DomainKeys Identified Mail (DKIM) signature digitally signs emails for a given domain and establishes authenticity.
When John Shier, a security enthusiast, noted that a set of emails to discern whether they were phish or legit, the DKIM was one of the clues that led him to the conclusion that one of the emails in question was for real.
DKIM doesn’t filter or identify spoofed emails, per se, but it can be helpful in approving legitimate email.
In fact, Google has used it to authenticate email coming from eBay and PayPal: both heavily phished properties.
If a message comes in to Gmail purporting to be from either but lacks DKIM, out it goes – it doesn’t even make it into the Spam folder.
