Pretending to be someone you're not in an email has never been quite hard enough—hence phishing, that eternal scourge of internet security. But now one researcher has dug up a new collection of bugs in email programs that in many cases strip away even the existing, imperfect protections against email impersonation, allowing anyone to undetectably spoof a message with no hint at all to the recipient.
On Tuesday, security researcher and programmer Sabri Haddouche revealed Mailsploit, an array of methods for spoofing email in more than a dozen common email clients, including Apple Mail for iOS and macOS, Mozilla's Thunderbird, Microsoft Mail, and Outlook 2016, as well as a long list of less common clients including Opera Mail, Airmail, Spark, Guerrilla Mail and Aol Mail. By combining the bugs in those email clients with quirks in how operating systems handle certain kinds of text, Haddouche was able to craft email headers that, to the recipient, give every indication of having been sent from whatever address the fraudster chooses. The potential for phishing schemes is enormous.
A demo Haddouche has made available on his website describing the Mailsploit attack lets anyone send emails from any address they choose; think email@example.com, firstname.lastname@example.org, email@example.com or any other corporate executive, politician, friend, family member, or associate that might trick someone into giving up their secrets. Thanks to Mailsploit's tricks, no amount of scrutiny in the email client can reveal the fakery.