If you look carefully, as the second recipient is added—and after a significant delay, caused by an asynchronous API request—Google suggests that you might like to add two internal addresses to the email as they are often seen on emails with recipient 1 and recipient 2.
But notice where Google positioned the “add recipient” hyperlink. It shifted the position of the subject text area down and placed the hyperlinks where the original subject text area was. The clickable hyperlink area is fully encapsulated by the old subject text area.
In step 4 of the above user flow, if after adding the second recipient I quickly attempted to click in the subject text area, there is a chance that at that exact moment the delayed API request finishes, the subject bar shifts down, and I accidentally add an unintended recipient to the email.
Ironically, I believe this unpredictable delay makes it more likely for a tech-savvy employee working quickly, — those who can navigate around the compose window more quickly than it takes for the API request to finish — to fall foul of this design flaw and accidentally misdirect an email.
A Potential Fix
There are many potential fixes, but I think a simple rule that “no UI component should unpredictably move” would solve this. I would suggest increasing the spacing of the default compose window so that the “add recipient” hyperlinks could fit above the subject bar without moving anything.
We raised this design flaw with Google Security on 18th December 2018 and they responded that day with:
“We've investigated your submission and made the decision not to track it as a security bug. This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users' data are in scope, and we feel the issue you mentioned does not meet that bar”
Whilst Google does not feel it substantially affects the confidentiality or integrity of its users' data, we disagree and believe this design flaw could lead to an increase in misdirected emails and data loss. Implications of sending misdirected emails can range from the embarrassing to the damaging, and can even lead to revenue loss due to reputational harm.
Technology should be built and designed in a way to minimize human error, not increase the likelihood of it occurring.
Update: this design flaw seems to only affect Gmail on browsers, not the mobile application.