Vulnerability in Gmail
I was recently attempting to mail some javascript code from my yahoo account to my gmail when I came across this vulnerability.
Apparently javascript will run if it is withing the preview of the message.
I only tested this sending from a yahoo account. Sending gmail to gmail appears to filter this out.
This is what the message has to compose of
My simple test was : Subject: a Body: asdfasdf<script>alert("asdF");</script>
Here is the screen: NOTE I JUST PUT IT BACK UP! : screenshot
Last time I killed my friends server so I uploaded it to flickr instead.
This vulnerability could be used to gather email addresses. Or even possibly to compromise the account.
Apparently javascript will run if it is withing the preview of the message.
I only tested this sending from a yahoo account. Sending gmail to gmail appears to filter this out.
This is what the message has to compose of
- A short subject to increase the ammount of code to run
- A short bit of text in the body so that the code isn't treated as quoted text
- And your code
My simple test was : Subject: a Body: asdfasdf<script>alert("asdF");</script>
Here is the screen: NOTE I JUST PUT IT BACK UP! : screenshot
Last time I killed my friends server so I uploaded it to flickr instead.
This vulnerability could be used to gather email addresses. Or even possibly to compromise the account.
49 Comments:
Yep, I was able to replicate the vulnerability. Oh, and you've been Dugg.
Thanks for pointing this out. Hopefully the Google Team will fix this soon. Something like this can cause some major problems.
i must be missing something because i can reproduce this at all.
This isn't working for me either, maybe Google have fixed it
I think they've put a fix up.
Yeah, didn't work for me.
This comment has been removed by a blog administrator.
It still works, so google hasn't patched it yet. This is a cool find .. thankx
Still a problem for me. To test, make sure you are not sending from a gmail account and when you get the new mail, refresh the page.
well I could reproduce it and now I can't so they must have fixed it.
Hmm.. I dunno if you should have publicly posted this. Better to alert Gmail in private rather than post it out there for the whole world to see and start exploiting.
Already try. not working anymore.
Yeah they have fixed this.
Looks like its fixed. Doesnt work for me either.
Hey nice find!
Ashley
http://boulderthegreat.blogspot.com
However the London rep for Google have already said that they are going to talk to the technical team according to IDG News Service.
http://www.internetsalsa.com
Nice find - Has anyone tried any other scripting languages/code?
http://kevsvideotraining.blogspot.com
yea, google's already fixed it. brace yourself for a slashdot onslaught!
Google's responce:
In the interest of minimizing the impact that security vulnerabilities have on our end users, we highly encourage anyone who discovers a vulnerability in a Google product or service to follow responsible disclosure policies by contacting us first at security/at/google/dot/com .
More information is available at:
http://isc.sans.org/diary.php?storyid=1161
Nice find but i am unable to repro this. I guess google fixed it.
Manseta
www.technologymadness.com
Well, google is right, you should report it to them first. That way people don't use the vulerability to exploit other users.
Props to you for finding it though. Next time, follow the responsible disclosure path.
wow you're on online news. did you know about this?
Teenager Claims to Find Flaw in Gmail
A teenage blogger claims to have discovered a flaw in Google's Gmail service that allows JavaScript to run, potentially allowing a malicious hacker to gather e-mail addresses or compromise an account.
The supposed flaw may already have been fixed, however.
The teenager identifies himself in his blog as a 14-year-old named Anthony. His entry about Gmail is available online.
Getting the Message
He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a Gmail account. The code will run in a preview pane, he wrote.
But if the code is mailed from one Gmail account to another, it is filtered out, he said.
Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed.
Google representatives in London could not immediately comment, saying the report would be forwarded to their technical staff.
http://news.yahoo.com/s/pcworld/20060302/tc_pcworld/124939
Hey, Google's right. You have RFP's procedure for these kinds of things.
Anyone who is into security and can also program in javascript will definitely contact vendor first and post later, but well, he's 14 years old!...
Oh man, I was 15 when I first hacked into my country's web and mail server, and even I followed the correct disclousure procedure. :P
I have been reading your posts and they are quite good. Are you really 14. Because I am a 14 year old like yourself and my blog entries are not half as good as yours. I hope you could check out my blog at http://www.saran81kid91.blogspot.com. Great Job.
You 1337 haxor :)
But seriously, good find! I am glad that people like you find these things and honestly report them. Rather than abuse others.
Bono is Brian Peppers!
Cant play Quake 3
There is no place in the security community for individuals to fail to follow responsible disclosure principles.
Shame.
Good job anthony. you are 14 I hear. that's great.
Good Job Anthony You are in PCWorld yesterday !!
Good Job Anthony , you are in IDG Sweden and www.google-kai.com
Thanks for tips
Good work man ...
you pointed some thing that the google testers failed to get there hands in to..
Narendran
http://narendranj.blogspot.com
http://bookmarks-share.blogspot.com
Hi. sorry, I can't view the photo of this action. please verify the link of photo. you can upload photo in www.tinypic.com. MY weblog is: http://mobasoft.persianblog.com. GOOD LUCK --> MOBASOFT
Nice job on finding the flaw, too bad you're too irresponsible to report it to google.
Well you live to learn...
hi anthony....it didn't work for me...anyways u r getting popularity....gud ..kid
Seems that they've fixed it, however thank you for the info
Nice work.
At this moment the news is spreading in Dutch newsletters all over the Nederlands and Belgium.
Your blog is famous over the all world in no time this way.
Congratulations.
Pieter Jansegers
http://jansegers.blogspot.com
It's wierd how people are bitching about how he should've went to google first and whatnot.
It's not very easy to figure out where to submit bugs. I thought he did the right thing and blogged about it rather then have someone use it for something that could comprimise my system.
Nice find for something so simple.
You made it on The Raw Story too. Good work.
You made it on The Raw Story too. Good work.
www.rawstory.com
Congratulations!
[]'s
http://quemaneiro.blogspot.com
that's cool , but i'm late again.. :(
Why are you using firefox?..maybe theres your problem...
trinest: Firefox is the problem? Are you out of your mind? Its the greatest browser which complies with all the standards. Throw your IE so that you can use your brain ;)
good discovery and nice documentation, never would i even think about this coming from a 14yr old.
settings -> general -> snippets -> no snippets. Problem solved.
Anthony, dono do Ph3rny's Blog (http://ph3rny.blogspot.com/), descobriu uma vulnerabilidade no popular serviço de e-mail do Google, o Gmail. No teste, Anthony enviou, a partir de outro email, um código em javascript para uma conta do Gmail. Em vez de mostrar o código de maneira crua, o sistema interpretou as tags que traziam o javascript e o Gmail executou os comandos.
Embora Anthony tenha usado apenas comandos simples, que lançavam uma caixa de diálogo, poderiam ter sido usados comandos mais perigosos capazes, inclusive, de comprometer o serviço.
Um representante do Google afirmou que a falha foi resolvida pouco depois de o erro ser divulgado, evitando que a brecha pudesse ser explorada indevidamente por hackers ou crackers.
Damn, dude...
You're smart. :P
Wow, all from a 14 years guy, excelent! ;-)
Show us...
It's definately real
many people even confirmed it at
http://www.digg.com/security/Vulnerability_In_Gmail_allowing_attackers_to_run_code
and in my comments
comment back...
I wouldn't fake something like that
My partner and I absolutely love your blog and find many of your post’s to be exactly what I’m looking for.
oven gas
sosis bakar
cara membuat cireng
cara membuat roti bakar
thanks
Post a Comment
<< Home