Gmail can be easily spoofed

News by Dan Raywood

Google's Gmail login page can be recreated by spammers.

Google's Gmail login page can be recreated by spammers.


Adrian Pastor of the GNUCitizen ethical hacking-collective claimed that using a frame injection technique and exploiting a Google domain vulnerability would allow hackers to gain users' log in details.


Pastor detailed how a proof-of-concept (PoC) page could be created, and explained that frame injection works by inserting the URL of a third-party website into the ‘targeturl' parameter in the website address, instead of the original contact page.


He claimed that there is a weakness with Google's domain which made it possible for third-parties to 'inject' their own content onto Google's pages, making the user believe it was authentic. The result is what appears as a legitimate Gmail login page that can be used to launch a phishing attack against users. When a username and password are filled out and the user clicks ‘submit', their login credentials go to a third-party page controlled by the attacker.


Pastor said: “The previous PoC URL will cause the entered credentials to be submitted to when clicking on the Sign in, so please do NOT submit any real credentials.


“The attacker has managed to display a non-legitimate third-party page, while the legitimate domain (, in this case) is shown in the address bar. The beauty of frame injection attacks is that the attacker is able to impersonate a trusted entity without needing to bypass XSS/HTMLi filters or even break into the target server.”


Google claimed that although the PoC example page looks similar to Gmail's login page, a few elements mark it as illegitimate. For one, the address began with ‘http' not ‘https' - Gmail is always SSL during login. Also, the top of the frame identifies it as an image search result, further marking the page as suspicious.


Google has said it is investigating the report, but told “We're aware of the potential for this kind of behavior when services are hosted across multiple domains, and we take steps to restrict it where we believe it may have security consequences.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews