Bug In Gmail For Android Lets You Spoof Your Email Address


A bug has been discovered in the official Gmail app for Android which lets you spoof your email address to anything you want, fooling others that they have received an email from someone else instead of you.

Android Marshmallow

You Can Easily Spoof Your Email Address If You're Using Gmail For Android

The discovery of this bug was made by security researcher Yan Zhu, and has revealed that the bug can be recreated by anyone by simply adding an extra quotation mark at the beginning of their display name field in account settings. Strangely enough, the receiver of the email won't be able to reveal anything at all, and to them, the email will look as legit as it can be.

In order to recreate this bug, simply change your display name in the following format:

yan “”security@google.com”

That extra quotation mark is all it takes for the spoofing to take place.

Gmail bug

According to Zhu in a statement to Motherboard:


The extra quotes triggers a parsing bug in the gmail app, which causes the real email to be visible.

Google on the other hand has been notified of this bug and they believe that it is not a security vulnerability.

Thanks for your note, we don't consider to to be a security vulnerability

It's worth noting that this bug is contained within the Gmail for Android app and this issue can't be recreated anywhere else, which is great news. But, on the other hand, it's a cause for concern given the fact that an ill-intentioned individual can use this bug to invoke a phishing scam, ultimately luring a user into the carefully crafted scheme.

We highly recommend that users remain very careful when receiving and replying to emails, and double-check messages that contain links within them. Who knows how one thing can lead to another in any given circumstance. Furthermore, ill-intended or malicious links can also lure a user into revealing their username and password for a particular account, be it Facebook, Gmail itself, Twitter or anything else. After all, a user can be easily tricked into believing that the email they received comes from a very legit and trustful source.

We strongly recommend that users go through all the precautionary measures in order to make sure that their email account is as secure as possible. While having a complex password is good and all, but nothing beats the whole thing topped off with two-factor authentication.

We can never be too safe in the digital world, but a little caution can go a long way.