A newly discovered bug in Gmail makes it possible for senders to push email out while obfuscating the sender’s address. The bug allows a sender to malform the “From:” header so that Gmail leaves the field unpopulated and the sender’s name invisible even when the message is opened.
The bug was discovered by Tim Cotten who was playing with some previously identified bugs to see how they might be exploited. By embedding something like an object or script or img tag, he was able to completely hide who the sender of a message is.
The issue isn’t with how email is handled by Google’s server which is good news. The problem rests purely in the Gmail user interface. And while many people use an email client where this bug may not manifest, there are lots of people who rely on the web-based Gmail interface who might open a message out of curiousity. And that makes this an interesting vector for spammers and those looking to launch phishing attacks.
Exacerbating this situation is that Cotten reported this and other issues he has found with Google’s email service but, as yet, has not received a response.
For now, if you’re running a corporate mail system that uses Gmail, it’s worth notifying your users to not open messages that don’t have a sender in the “From” field.