XSS Compatibility Feature Earns Researcher XSS Flaw in Gmail $5,000

XSS Flaw in Gmail

An investigator received $5,000 for an odd cross-site scripting (XSS) vulnerability from Google found in the dynamic email function introduced to Gmail a few months ago.

The dynamic e-mail function (AMP) allowed users to use dynamic HTML content in e-mails, allowing users to directly perform different tasks within an e-mail, such as answering a Google Docs comments, completing questionnaires, responding to an invitation to an event and browsing the catalogue. Google generally made the feature available in July.

Michał Bentkowski, Securitum Chief security researcher, studied AMP4Email and found that XSS attacks could be exploited. Although AMP4Email provides safeguards against such attacks, the researcher has found a way to circumvent them through an old feature called DOM Clobbering.

DOM Clobbering is a classic feature of XSS attacks known for web browsers. By using DOM Clobbering, the researcher demonstrated how an attacker could add malicious code via AMP4Email to an e-mail and run it on the side of the victim when the email was opened.

Nonetheless, as shown by Bentkowski, exploitation of the vulnerability did not pose a serious danger, since it could not circumvent the AMP Content Security Policy (CSP) that is designed to prevent XSS attacks. In addition, the expert told that the malicious code of the hacker would be executed in an AMP domain rather than Gmail.

Google nevertheless described the vulnerability as “awesome” and awarded the researcher a $5,000 bug bounty, which is the standard sum for XSS defects.

“Google also expressed concern about this case as they did not want opening up JavaScript emails (which could be used to send browser exploits),” Bentkowski told.

Google reported the vulnerability on August 15 and it was patched before October 12.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.