In order to exploit this vulnerability, the target user only needs to click on a malicious mailto: link. It can also be triggered by clicking on a direct link to Inbox’s mailto: handler page, as shown in this example exploit link<\/a>.<\/p>\n This vulnerability was still unfixed in all Google Inbox apps as of May 4th, 2018, a year after private disclosure.<\/p>\n Update<\/strong>: This vulnerability has been fixed in the Google Inbox webapp<\/a> as of May 18, 2018. The Android app still remains vulnerable.<\/p>\n The recipient \u201csupport@paypal.com\u201d being spoofed in the Google Inbox composition window. The actual recipient is \u201cscam@phisher.example\u201d.<\/p>\n<\/div>\n I received no response for over 8 months, so I sent yet another email on March 16th, 2018.<\/p>\n![\"\"](\"https:\/\/eligrey.com\/blog\/wp-content\/uploads\/2018\/04\/google-inbox-vulnerability-poc.png\")
<\/a><\/p>\n
\nOn July 3rd, 2017 I noticed that Google had added hover tooltips to this field in Inbox, which made it possible for users to manually confirm the recipient email address. The default presentation of the email address was still vulnerable to spoofing, so I sent another email to Google.<\/p>\n![\"\"](\"https:\/\/eligrey.com\/blog\/wp-content\/uploads\/2018\/04\/google-inbox-vulnerability-update.png\")
<\/a><\/p>\n
![\"\"](\"https:\/\/eligrey.com\/blog\/wp-content\/uploads\/2018\/04\/google-inbox-vulnerability-update-2.png\" "\\"I")
<\/a><\/p>\n![\"\"](\"https:\/\/eligrey.com\/blog\/wp-content\/uploads\/2018\/04\/google-inbox-vulnerability-update-3.png\")
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"