Vulnerability in Gmail
Gmail is one of the
major webmail service provider across the globe. But as we all know Gmail
still carries that 4 letter word BETA. Sometimes we may wonder,
why Gmail is still in the testing stage even after years of itís
emergence. Here is one small reason for that.
Gmail follows a strict
rule that doesnít allow itís users to have their first or the
last name contain the term Gmail or Google.
That is, while signing up for a new Gmail account the users cannot choose
a first or last name that contains the term Gmail or Google. You can see this
from the below snapshot.
This rule is implemented by
Gmail for obvious reasons, because if the users are allowed to keep their first
or the last name that contains the term Gmail or Google, then it is
possible to easily impersonate the identity of Gmail (or Gmail Team) and engage
themselves in phising or social engineering attacks on the innocent
users. This can be done by simply choosing the first and last name with the
From the above snapshot we can
see that, Gmail has made a good move in stopping the users from abusing itís
services. However this move isnít just enough to prevent the malicious users
from impersonating the Gmailís identity. Because Gmail has a
small vulnerability that can be exploited so that the users can still have their
name contain the terms Gmail or Google. You may wonder how to do
this. But itís very simple.
1. Login to
your Gmail account and click on Settings.
2. Select Accounts
3. Click on edit info
4. In the Name
field, select the second radio button and enter the name of your choice. Click
on Save Changes and youíre done!
Now, Gmail accepts any name
even if it contains the term Google or Gmail. You can see from the below
Allowing the users to have
their names contain the terms Gmail or Google is a serious vulnerability even
though it doesnít seem to be a major one. This is because a hacker or a
malicious attacker can easily exploit this flaw and send phishing emails to
other Gmail users asking for sensitive information such as their passwords. Most
of the users donít even hesitate to send their passwords since they believe that
they are sending it to Gmail Team (or someone authorized). But in reality they
are sending it to an attacker who uses these information to seek personal
So the bottomline is, if you
get any emails that appears to have come from the Gmail Team or similar, donít
trust them! Anyone can send such emails to fool you and take away your personal
details. Hope that Gmail will fix this vulnerability as soon as possible to
avoid any disasters.