Gmail can be easily spoofed

Google's Gmail login page can be recreated by spammers. Adrian Pastor of the GNUCitizen ethical hacking-collective claimed that using a frame injection technique and exploiting a Google domain vulnerability would allow hackers to gain users' log in details.

Pastor detailed how a proof-of-concept (PoC) page could be created, and explained that frame injection works by inserting the URL of a third-party website into the 'targeturl' parameter in the website address, instead of the original contact page.

He claimed that there is a weakness with Google's domain which made it possible for third-parties to 'inject' their own content onto Google's pages, making the user believe it was authentic. The result is what appears as a legitimate Gmail login page that can be used to launch a phishing attack against users. When a username and password are filled out and the user clicks 'submit', their login credentials go to a third-party page controlled by the attacker.