Did you know that when signing up for a new Gmail account, users could only use a specific set of characters and numbers? In early August, Google announced that they would be expanding the characters supported by Gmail. While this may not be the biggest deal to many, there is a potential security issue related to this that users should be aware of.
Google’s recent character announcement
Until early August, any user who emails from a Gmail account had to use latin characters and numbers e.g., A-Z, and 1-9. While this fits for some users, there are a great number who have names and email addresses that use characters not in the standard English alphabet like ‘É’ or ‘à’. In an effort to make things easier for a greater number of Google users, the company recently expanded support for different characters.
This means that Gmail will now understand addresses that use different scripts from the standard basic Latin alphabet (letters A to Z and numbers 0 to 9). According to Google, “This means Gmail users can send emails to, and receive emails from, people who have these characters in their email addresses.”
Some of the scripts now supported include Katakana, Hong Kong (traditional Chinese), accented Latin characters, etc. While users with email addresses can send Gmail users emails, and vice versa, they are currently not supported by Google’s account names. In other words, users who want to sign up for a Gmail account still need to use the basic Latin alphabet.
Why is this a potential security risk?
At first glance, this may not seem like the biggest security risk. Especially because many businesses have email addresses that use the basic Latin alphabet. But there is a security threat here, especially when you start to look at the characters used in other languages. Take for example the greek letter for lowercase omicron (ο) which looks a lot like our o.
When we write these letters on paper, they look the same to us, and there is no real harm. But when they are online, computers will read them as different. This is because of what is called Unicode. Unicode is a universal standard that dictates the difference between characters.
To us, the lowercase omicron and our letter ‘o’ look the same. But to computers, lowercase omicron is represented by the unicode: U+03BF, while the letter ‘o’ is represented by the unicode: U+006F.
Smart hackers will likely quickly figure out that they can replace basic Latin characters with others, and generate email addresses that take advantage of this. For example, you could see an email come into your Inbox from facebook.com, where one of the characters is actually an omicron. To us, there is no visual difference, but to the computer, the addresses are completely different. The email could have links to malware or tracking software that could lead to a breach in security.
Is anything being done to stop these characters from being exploited?
According to a post on the Google blog, the tech giant realizes this could be a potential security issue. “The Unicode community has identified suspicious combinations of letters that could be misleading, and Gmail will now begin rejecting emails with such combinations. We’re using an open standard—the Unicode Consortium’s “Highly Restricted” designation—which we believe strikes a healthy balance between legitimate uses of these new domains and those likely to be abused.”
According to the Consortium, when applied to Gmail addresses, Highly Restrictive requires that characters must be from a single script, or from the combinations:
- Latin + Han + Hiragana + Katakana,
- Latin + Han + Bopomofo,
- Latin + Han + Hangul
In other words, the overall security and legitimacy of addresses and sites that use other characters should be ensured..
What can we do?
To take it one step further, we also recommend that if you use Gmail, you look carefully at all email addresses. We can often spot the difference between letters and similar symbols used by other languages. If an address looks suspicious, it is a good idea to simply ignore or delete the email.
As with most other security measures, if you receive an email from large companies or institutions, such as banks, with what looks like a legitimate email address, always read the content closely. Almost every business and institution will never ask for you to provide passwords or login information in an email.
Essentially, ensure to be vigilant with email addresses, and if you have any further questions or concerns, contact us today to for our support solutions.