Google addressed an XSS flaw in Gmail

mood · Nov 18, 2019

Google addressed an XSS flaw in Gmail
...the IT staff at Google defined the vulnerability as “awesome.”
November 18, 2019
https://securityaffairs.co/wordpress/94030/hacking/google-xss-flaw-2.html

Michał Bentkowski, Chief Security Researcher from security frim Securitum, found an XSS vulnerability in Gmail and responsibly disclosed it this week after Google has addressed it.

The flaw, described by Google IT staff as an awesome XSS issue, resides in the AMP4Email feature rolled out in July.
AMP4Email makes it easier the management of dynamic content inside emails, it allows users to easily take action directly from within the message itself, like RSVP to an event, fill out a questionnaire, browse a catalog or respond to a comment. [...] AMP4Email could be subject to DOM Clobbering.

“DOM Clobbering is a legacy feature of web browsers that just keeps causing trouble in many applications. Basically, when you create an element in HTML (for instance ) and then you want wish to reference it from JavaScript, you would usually use a function like document.getElementById(‘username’) or document.querySelector(‘#username’).” the expert wrote.
“AMP tries to get a property of AMP_MODE to put it in the URL,” the continues the researcher. “Because of DOM Clobbering, the expected property is missing, hence undefined.” [...] Bentkowski discovered that it was possible to control the URL
Click to expand...

Securitum: XSS in GMail’s AMP4Email via DOM Clobbering

mood · May 5, 2020

Gmail XSS vulnerability placed under the microscope
Client-side security flaw earned modest bug bounty reward
May 4, 2020
https://portswigger.net/daily-swig/gmail-xss-vulnerability-placed-under-the-microscope

Security researcher Enguerran Gillier uncovered the DOM-based XSS vulnerability in Google’s popular email service after looking at the postMessage API, rather than the more conventional routes of exploring URL parameters or the emails themselves for web security flaws.
The vulnerability, resolved in December 2018, still offers lessons for both web developers and white hat hackers.

“The Gmail tab loads the JavaScript iframe and the attacker has arbitrary code execution on the victim’s Gmail page, which means it can read and send emails [or] change [the] password of accounts registered to this email.”
A potential attacker would still have to work out the channel name in order to run an XSS attack, but this obstacle can be overcome.

Asked what lessons might be drawn from his research, Gillier told The Daily Swig that the current time is a "golden age for DOM XSS".
Click to expand...

DOM XSS in Gmail with a little help from Chrome

The invisible Messages of Gmail
Last year, I looked for DOM XSS in Gmail website. Instead of using url params or the emails themselves as the source of the attack, I decided to use the much more discreet yet ubiquitous postMessage api. At first glance, the Gmail inbox seems a simple webpage, but if you go through the looking glass, it’s actually a dozen of different webpages (or iframes) communicating between each others.
[...]
Conclusion
I couldn’t find an easy way to load an iframe inside Gmail, but with all this I was confident enough to send a report to Google VRP and after a few days I received the “Nice Catch” answer and reward. Google fixed it by adding check on the origin of the message containing the url. The XSS doesn’t work anymore, but the message is still sent if you want to check.
Click to expand...

mood · Aug 5, 2022

XSS in Gmail’s AMP For Email earns researcher $5,000
Researcher bypasses email filter with inspired style tag trickery
August 5, 2022

A cross-site scripting (XSS) vulnerability in AMP for Email, Gmail’s dynamic email feature, has netted a security researcher a $5,000 bug bounty payout.
AMP for Email brings AMP functionality to rich, interactive emails. AMP itself is an open source HTML framework used to optimize websites for web browsing on mobile.

Adi Cohen, who unearthed the security flaw, said he had no problem finding a vector that triggered an XSS within the AMP playground, but found bypassing Gmail’s XSS filter a much tougher assignment.
Click to expand...

The “easiest way to circumvent an XSS filter is by tricking it into a different rendering context than what the browser will actually use to render a given piece of code”, observed Cohen in a blog post.

Since AMP for Email forbids the likes of templates, SVG, math, and CSS, he instead targeted stylesheets as a potential path to an XSS payload with multiple rendering contexts.
Cohen reported the issue to Google on March 27, 2021, and noticed on July 7 that it had been fixed.
Click to expand...

As previously reported by The Daily Swig, Google addressed an unrelated, notable XSS in AMP For Email back in 2019, after security researcher Michał Bentkowski leveraged id attributes in tags to enable ‘DOM clobbering’ attacks.
Click to expand...

XSS in Gmail's Amp4Email

AMP is most commonly used as a framework to develop fast-loading content on the web.
One of AMP's projects, AMP4Email has been adopted in recent years by many of the leading mail services as a way to provide Dynamic Emails (essentially a subset of regular HTML with a few default components to handle things like layouts, templates, forms, and such).

In this post, I’ll walk through how I managed to get one of those initial vectors to bypass that extra layer and arrive at my inbox.
Click to expand...

Log in or Sign up

Google addressed an XSS flaw in Gmail

mood Updates Team

mood Updates Team

mood Updates Team

Log in or Sign up

Google addressed an XSS flaw in Gmail

mood Updates Team

mood Updates Team

mood Updates Team

Useful Searches