26 Feb 2009

Gmail: Send As old@notMineAnyMore.com

One of Google's many wonderful services, Gmail allows users to send e-mail from addresses other than their primary Gmail account address. This is especially handy for people who have multiple e-mail accounts with various organizations and want to manage all of them from one place. All it takes is a forwarder (from the external account to Gmail), and a confirmation e-mail (from Gmail to the external account -- see Accounts in Gmail Settings) to verify that the account is indeed your own, and you're set.

The problem with this approach is that, even after the account has been deleted or given to someone else (e.g., in the case of an account like admin@domain.com), you, as the once-confirmed owner of the account, can continue to send e-mail as that account from Gmail, indefinitely (so it seems).

This is no earth-shattering security hole, but it will certainly give a small number of people the chance to pose as someone they are not, in some cases making a hack-by-social-engineering infinitely more achievable.