Google patches ‘awesome’ XSS vulnerability in Gmail dynamic email feature

    The bug bounty hunter who disclosed the issue says the bug is a prime example of DOM Clobbering.

    Google has resolved an XSS vulnerability in Gmail described by the tech giant’s own team as “awesome.”

    On Monday, Michał Bentkowski, Chief Security Researcher at Securitum, disclosed the vulnerability through a responsible disclosure process after the bug had been resolved.

    In a blog post, Bentkowski said the security flaw was present in AMP4Email, a feature in Gmail pushed out to general availability in July.

    AMP4Email, also known as dynamic email, was implemented to make it easier for dynamic content to show up in emails, such as comment threads or event invitations.

    AMP4Email does have a validation system in place to prevent cross-site scripting (XSS) attacks from being used to abuse the feature. Certain tags and attributes are whitelisted, and should someone attempt to add another element or attribute that is not permitted, errors occur.

    However, the security researcher noticed that the id attribute is not disallowed in tags, leading to an investigation into whether or not AMP4Email could be subject to DOM Clobbering.


    “DOM Clobbering is a legacy feature of web browsers that just keeps causing trouble in many applications,” the researcher says. “When you create an element in HTML (for instance) and then you wish to reference it from JavaScript, you would usually use a function like document .getElementById(‘username’) or document .querySelector(‘#username’). The legacy way is to just access it via a property of global window object. So window.username is in this case exactly the same as document.getElementById(‘username’).”

    In AMP4Email, some values for the id attribute are restricted. However, when in AMP_MODE, an error caused a 404 if the function tried to load JS files, causing an ‘undefined’ portion in the resultant URL.

    “AMP tries to get property of AMP_MODE to put it in the URL,” the researcher says. “Because of DOM Clobbering, the expected property is missing, hence undefined.”

    The code responsible for the undefined element checks to see if AMP_MODE.test and window.testLocation are truthy, but it was noticed that the URL could be controlled by writing a payload to overload window.testLocation.

    In a real-world scenario, however, a Content Security Policy (CSP) function in AMP stopped the code from fully executing.


    The vulnerability was reported via the Google Vulnerability Reward Program on 15 August 2019.  A day later, Google’s team accepted the report, and by 10 September, the team said: “The bug is awesome, thanks for reporting!”

    The tech giant notified Bentkowski on 12 October that the bug had been resolved, leading to public disclosure.

    ZDNet has reached out to Google but has not heard back at the time of publication.

    Recent Articles

    Alexa Can Refill Your Medicines And Inform You To Take It

    The healthcare effort by Amazon now comprises an easy but essential feature: the capability of managing your medicines from your smart speaker. The firm...

    How to Create a WooCommerce Contest to Boost Loyalty and Engagement

    Do you want to create a WooCommerce contest to boost customer engagement and increase sales? Contests are an easy way to get new visitors...

    Law firm claims that the iPhone exceeds radiation safety levels

    What you need to know Apple and Samsung are both included in the lawsuit. Apple and Samsung are being sued for radiation levels in their phones. The...

    Google is Working on Adding Package Tracking to Search Results via @MattGSouthern

    Google is working on integrating package tracking into search results, allowing users to get information without visiting the carrier’s site.The post Google is Working...

    10 Best iPhone Games to Play With Your Girlfriend

    10 Best iPhone Games to Play With Your Girlfriend is a post by Cory Gunther from Gotta Be Mobile. These are the best iPhone games...

    Latest Stories

    Leave A Reply

    Please enter your comment!
    Please enter your name here

    Stay on op - Ge the daily news in your inbox