A newly exposed bug in Gmail makes it possible for senders to push email out reviling the sender’s address. The bug allows a sender to change the “From:” header so that Gmail leaves the field unpopulated and the sender’s name invisible even when the message is opened.
Tampering with the ‘From:’ header by replacing some text with an <object>, <script> or <img> tag causes the interface to show a blank space instead of the sender’s address.
The bug was discovered by Tim Cotten who was playing with some previously identified bugs to see how they might be exploited. By embedding something like an object or script or img tag, he was able to completely hide who the sender of a message is.
The good news is that the issue isn’t with how email is handled by Google’s server but problem rests purely in the Gmail user interface. The bug cannot manifest if you use an email client, but on the web-based Gmail interface. And that makes this an interesting vector for spammers and those looking to launch phishing attacks.
For now, if you’re running a corporate mail system that uses Gmail, it’s worth notifying your users to not open messages that don’t have a sender in the “From” field.