Ph3rny's Blog: Vulnerability in Gmail

Wednesday, March 01, 2006

Vulnerability in Gmail

I was recently attempting to mail some javascript code from my yahoo account to my gmail when I came across this vulnerability.

Apparently javascript will run if it is withing the preview of the message.

I only tested this sending from a yahoo account. Sending gmail to gmail appears to filter this out.

This is what the message has to compose of

A short subject to increase the ammount of code to run

A short bit of text in the body so that the code isn't treated as quoted text

And your code

My simple test was : Subject: a Body: asdfasdf<script>alert("asdF");</script>

Here is the screen: NOTE I JUST PUT IT BACK UP! : screenshot

Last time I killed my friends server so I uploaded it to flickr instead.

This vulnerability could be used to gather email addresses. Or even possibly to compromise the account.

49 Comments:

Muneer said...: Yep, I was able to replicate the vulnerability. Oh, and you've been Dugg.; 5:01 PM
D14BL0 said...: Thanks for pointing this out. Hopefully the Google Team will fix this soon. Something like this can cause some major problems.; 5:18 PM
Unknown said...: i must be missing something because i can reproduce this at all.; 5:19 PM
Alex said...: This isn't working for me either, maybe Google have fixed it; 5:23 PM
blinks said...: I think they've put a fix up.; 5:34 PM
Jathan said...: Yeah, didn't work for me.; 5:45 PM
Sachin said...: This comment has been removed by a blog administrator.; 6:15 PM
Mohan Rajagopalan said...: It still works, so google hasn't patched it yet. This is a cool find .. thankx; 6:31 PM
Mark said...: Still a problem for me. To test, make sure you are not sending from a gmail account and when you get the new mail, refresh the page.; 6:53 PM
Mark said...: well I could reproduce it and now I can't so they must have fixed it.; 7:17 PM
Matt Andrews said...: Hmm.. I dunno if you should have publicly posted this. Better to alert Gmail in private rather than post it out there for the whole world to see and start exploiting.; 7:52 PM
Faizal R said...: Already try. not working anymore.; 8:23 PM
Anthony said...: Yeah they have fixed this.; 10:11 PM
Mayuresh Kadu said...: Looks like its fixed. Doesnt work for me either.; 8:45 AM
Armless Highway said...: Hey nice find!
Ashley
http://boulderthegreat.blogspot.com; 2:21 PM
Internet Salsa said...: However the London rep for Google have already said that they are going to talk to the technical team according to IDG News Service.

http://www.internetsalsa.com; 2:27 PM
Kev said...: Nice find - Has anyone tried any other scripting languages/code?

http://kevsvideotraining.blogspot.com; 3:05 PM
Anonymous said...: yea, google's already fixed it. brace yourself for a slashdot onslaught!; 3:37 PM
Simon Donkers said...: Google's responce:

In the interest of minimizing the impact that security vulnerabilities have on our end users, we highly encourage anyone who discovers a vulnerability in a Google product or service to follow responsible disclosure policies by contacting us first at security/at/google/dot/com .

More information is available at:
http://isc.sans.org/diary.php?storyid=1161; 3:44 PM
San said...: Nice find but i am unable to repro this. I guess google fixed it.

Manseta
www.technologymadness.com; 4:09 PM
Darren Kopp said...: Well, google is right, you should report it to them first. That way people don't use the vulerability to exploit other users.

Props to you for finding it though. Next time, follow the responsible disclosure path.; 4:13 PM
JC said...: wow you're on online news. did you know about this?

Teenager Claims to Find Flaw in Gmail

A teenage blogger claims to have discovered a flaw in Google's Gmail service that allows JavaScript to run, potentially allowing a malicious hacker to gather e-mail addresses or compromise an account.

The supposed flaw may already have been fixed, however.

The teenager identifies himself in his blog as a 14-year-old named Anthony. His entry about Gmail is available online.

Getting the Message

He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a Gmail account. The code will run in a preview pane, he wrote.

But if the code is mailed from one Gmail account to another, it is filtered out, he said.

Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed.

Google representatives in London could not immediately comment, saying the report would be forwarded to their technical staff.

http://news.yahoo.com/s/pcworld/20060302/tc_pcworld/124939; 4:20 PM
Arturo 'Buanzo' Busleiman said...: Hey, Google's right. You have RFP's procedure for these kinds of things.

Anyone who is into security and can also program in javascript will definitely contact vendor first and post later, but well, he's 14 years old!...

Oh man, I was 15 when I first hacked into my country's web and mail server, and even I followed the correct disclousure procedure. :P; 4:29 PM
Sarawanan Ravindran said...: I have been reading your posts and they are quite good. Are you really 14. Because I am a 14 year old like yourself and my blog entries are not half as good as yours. I hope you could check out my blog at http://www.saran81kid91.blogspot.com. Great Job.; 5:40 PM
High Power Rocketry said...: You 1337 haxor :)

But seriously, good find! I am glad that people like you find these things and honestly report them. Rather than abuse others.
Bono is Brian Peppers!
Cant play Quake 3; 8:11 PM
Mike said...: There is no place in the security community for individuals to fail to follow responsible disclosure principles.

Shame.; 9:30 PM
Jason said...: Good job anthony. you are 14 I hear. that's great.; 10:49 PM
Bunyamin Najmi said...: Good Job Anthony You are in PCWorld yesterday !!; 11:51 PM
wekai said...: Good Job Anthony , you are in IDG Sweden and www.google-kai.com
Thanks for tips; 2:23 AM
Naren said...: Good work man ...

you pointed some thing that the google testers failed to get there hands in to..

Narendran

http://narendranj.blogspot.com
http://bookmarks-share.blogspot.com; 5:26 AM
MOBASOFT said...: Hi. sorry, I can't view the photo of this action. please verify the link of photo. you can upload photo in www.tinypic.com. MY weblog is: http://mobasoft.persianblog.com. GOOD LUCK --> MOBASOFT; 6:58 AM
Fini A. Alring said...: Nice job on finding the flaw, too bad you're too irresponsible to report it to google.

Well you live to learn...; 10:38 AM
Vikash said...: hi anthony....it didn't work for me...anyways u r getting popularity....gud ..kid; 11:11 AM
Unknown said...: Seems that they've fixed it, however thank you for the info; 12:27 PM
jansegers said...: Nice work.

At this moment the news is spreading in Dutch newsletters all over the Nederlands and Belgium.

Your blog is famous over the all world in no time this way.

Congratulations.

Pieter Jansegers
http://jansegers.blogspot.com; 12:31 PM
Capitan Crazy Poopy Pants said...: It's wierd how people are bitching about how he should've went to google first and whatnot.

It's not very easy to figure out where to submit bugs. I thought he did the right thing and blogged about it rather then have someone use it for something that could comprimise my system.

Nice find for something so simple.; 1:26 PM
OnShakedown said...: You made it on The Raw Story too. Good work.; 3:19 PM
OnShakedown said...: You made it on The Raw Story too. Good work.

www.rawstory.com; 3:20 PM
Anonymous said...: Congratulations!
[]'s

http://quemaneiro.blogspot.com; 8:09 PM
حبیب said...: that's cool , but i'm late again.. :(; 3:47 PM
Trent Petronaitis said...: Why are you using firefox?..maybe theres your problem...; 4:06 PM
wad said...: trinest: Firefox is the problem? Are you out of your mind? Its the greatest browser which complies with all the standards. Throw your IE so that you can use your brain ;); 3:18 AM
Lee said...: good discovery and nice documentation, never would i even think about this coming from a 14yr old.; 4:12 AM
Hoo Hoo Nick said...: settings -> general -> snippets -> no snippets. Problem solved.; 7:58 AM
Fabiano Rabaneda said...: Anthony, dono do Ph3rny's Blog (http://ph3rny.blogspot.com/), descobriu uma vulnerabilidade no popular serviço de e-mail do Google, o Gmail. No teste, Anthony enviou, a partir de outro email, um código em javascript para uma conta do Gmail. Em vez de mostrar o código de maneira crua, o sistema interpretou as tags que traziam o javascript e o Gmail executou os comandos.
Embora Anthony tenha usado apenas comandos simples, que lançavam uma caixa de diálogo, poderiam ter sido usados comandos mais perigosos capazes, inclusive, de comprometer o serviço.

Um representante do Google afirmou que a falha foi resolvida pouco depois de o erro ser divulgado, evitando que a brecha pudesse ser explorada indevidamente por hackers ou crackers.; 9:30 AM
Rafa said...: Damn, dude...
You're smart. :P; 8:29 AM
Alberto said...: Wow, all from a 14 years guy, excelent! ;-); 4:32 PM
Anthony said...: Show us...

It's definately real

many people even confirmed it at

http://www.digg.com/security/Vulnerability_In_Gmail_allowing_attackers_to_run_code

and in my comments

comment back...

I wouldn't fake something like that; 3:50 PM
mangkimay said...: My partner and I absolutely love your blog and find many of your post’s to be exactly what I’m looking for.
oven gas
sosis bakar
cara membuat cireng
cara membuat roti bakar

thanks; 12:27 PM

Wednesday, March 01, 2006

Vulnerability in Gmail

49 Comments:

About Me

Digg News

Previous Posts