Yan Zhu recently discovered a vulnerability in the Android version of Gmail. Google has rejected her claims and that this issue isn’t a vulnerability. The whole scenario is quite easy to replicate and takes almost no technical knowhow besides being able to send an email.
So I decided to replicate it and prank my friends.
Change your display name in Gmail make sure you put it in the following format “”firstname.lastname@example.org” The extra quotation mark is what triggers the vulnerability, here’s the screen of the config I used for this example:
Next you just have to send a mail with to your desired targets.
When they open their Gmail on their android device and go to their inbox the contents should look like the below (the mail looks like a legitimate security alert):
The mail looks like, now once they click the link they will be in for a surprise:
They will see this image and GIF when they click the link:
Hope you enjoyed this one it was fun and easy to put together. As always please let me know if found this article useful or if you didn't, Don’t forget to like this post or leave a comment below to let me know another area you would be interested in reading about. Thanks for your continued support! Until next time!