The H-online: Google has closed several cross-site scripting (XSS) holes in its Gmail email service – which has more than 350 million active users – that could have allowed an attacker to inject a malicious client-side script into a victim’s system. Security researcher Nils Juenemann discovered the three different XSS vulnerabilities in Gmail and disclosed them to Google’s Security Team as part the company’s Vulnerability Reward Program, in which researchers are rewarded with up to $20,000 for reporting qualifying bugs in its web-based services.
The worst of these was a persistent XSS vulnerability exploitable via a specially crafted URL; persistent XSS flaws are considered to be more dangerous than normal XSS problems as data provided by an attacker is saved by the server, possibly leading to the execution of arbitrary code. For an attack to be successful, an attacker first needed to obtain key information including the user’s static ID and the message ID. However, Juenemann says that the needed values were easy to get through referrer leaking: by sending an HTML-encoded email to victims with additional content, the required information is leaked when the message is opened and a link is clicked.
The other XSS flaws were a persistent DOM-based (Document Object Model) XSS bug and a reflective DOM XSS bug in the mobile view for Gmail used on, for example, tablets such as the iPad. Juenemann says that the Google Security Team was quick to fix the bugs after he reported them. Further details about these can be found in Juenemann’s blog post, in which he also recommends that users enable 2-step verification on their accounts.