About 3 weeks ago, we reported on an Inbox by Gmail spoofing flaw found by security researcher Eli Grey. This design flaw allowed for a malicious mailto link to be constructed that would spoof the email recipient by automatically populating the name in the address field without showing the actual email destination unless the user manually checked before sending. This flaw could be taken advantage of because of the way that Inbox by Gmail parsed mailto links. Today, we have noticed that this issue has been fixed by the Inbox by Gmail team as email recipients are now clearly displayed to the user.
As you can see in the screenshots above, the issue has now been resolved. Previously (left), only the name of the recipient was displayed, while now (right), the name and the destination email address are shown to the user. We were using this mailto link as an example to demonstrate the issue: It previously showed the email recipient as “[email protected]” but in reality, the email would be going to [email protected] (which is obviously not a real address.)
We reached out to Google to confirm that this fix is in place for all users of Inbox by Gmail. This issue has apparently been around for a while, but it’s good to see Google get around to fixing it. Inbox is supposed to make our lives easier by decluttering our email inboxes and offering tools to intelligently manage our emails, so we can see how such an issue could easily fool a large number of Inbox users.