[Update: Fixed] Google Inbox emails can be spoofed to fake the recipient
Be careful what you click on. Eli Grey is a security researcher who has found a design flaw in Google Inbox allowing for an attacker to create a mailto link that spoofs the recipient of an email. He found this issue on May 4th, 2017, almost a year ago, and reported it to Google privately. After following up on March 16th of this year and the design flaw still being unresolved, he decided to publicly disclose it.
What happens is that generally, mailto links are used to automatically populate the content of an email to save users some time. We use a mailto link on our tip page to make it easier for users to send us a tip. Email clients such as Gmail or Google Inbox are supposed to parse these links and pre-compose the email draft with whatever information is present in the mailto link. For example, you could click a link to send PayPal customer support an email and it would show [email protected] in the outgoing recipient box.
What Eli Grey discovered is that you can construct a mailto link to spoof the email recipient in Google Inbox. This means that even though the draft email might say you are sending an email to [email protected], it could be sending it to an entirely different address. The only way you would know is if you inspected the mailto link or expanded the “to” field before sending the email.
As an example, this mailto link will place [email protected] in the “to” box but if you actually send an email here it will instead go to [email protected] (obviously not a real email address.) Fortunately, this issue doesn’t seem to affect Gmail or Outlook, so if you use those services you don’t have to worry.
Regardless, this is a prime example of why you should always inspect the links to anything you are about to click. Last year, a very clever Google Docs phishing scheme rocked the world because of how convincing it was to even most observant technologically savvy users. Avoiding a repeat of these schemes requires being vigilant, and never becoming too comfortable when it comes to your own personal security.
This article’s title and wording were updated on 4/29/18 to better reflect the nature of this issue. We are now describing the issue as a design flaw in the way that mailto links are handled in Inbox rather than a vulnerability.