Want to impersonate another person’s email account? It’s shockingly easy to do, as a new Gmail bug reported by independent security researcher Yan Zhu reveals. Speaking with Motherboard, Zhu explains that all you have to do is to change your display name in your settings on the official Gmail app in a way that will conceal your actual email address.
In this instance, Zhu entered in “”firstname.lastname@example.org” as her display name in Gmail. Note that she used two sets of quotation marks at the start of it — apparently, doing this will cover up your actual email address and make it look like the email you’re sending is coming directly from Google’s own security team. Obviously this is something that can be used in phishing attacks by people impersonating different entities and organizations that ask you to send them sensitive information.
OK, so Google must be all over this, right? Sadly, no. Zhu informed Google of this bug late last month and they responded by telling her that they don’t consider this bug to be a security vulnerability.
This is a puzzling attitude. As Motherboard explains, “it’s always been possible to spoof email envelope addresses, but spoofed emails now usually get caught by spam filters or get displayed with a warning in Gmail… with this bug, a hacker can get around these protections.” And even if Google doesn’t consider this to be a critical security vulnerability, what would be the harm in fixing it?