The bug bounty hunter who disclosed the issue says the bug is a prime example of DOM Clobbering.
Google has resolved an XSS vulnerability in Gmail described by the tech giant’s own team as “awesome.”
On Monday, Michał Bentkowski, Chief Security Researcher at Securitum, disclosed the vulnerability through a responsible disclosure process after the bug had been resolved.
In a blog post, Bentkowski said the security flaw was present in AMP4Email, a feature in Gmail pushed out to general availability in July.
AMP4Email, also known as dynamic email, was implemented to make it easier for dynamic content to show up in emails, such as comment threads or event invitations.
AMP4Email does have a validation system in place to prevent cross-site scripting (XSS) attacks from being used to abuse the feature. Certain tags and attributes are whitelisted, and should someone attempt to add another element or attribute that is not permitted, errors occur.
However, the security researcher noticed that the id attribute is not disallowed in tags, leading to an investigation into whether or not AMP4Email could be subject to DOM Clobbering.
In AMP4Email, some values for the id attribute are restricted. However, when in AMP_MODE, an error caused a 404 if the function tried to load JS files, causing an ‘undefined’ portion in the resultant URL.
“AMP tries to get property of AMP_MODE to put it in the URL,” the researcher says. “Because of DOM Clobbering, the expected property is missing, hence undefined.”
The code responsible for the undefined element checks to see if AMP_MODE.test and window.testLocation are truthy, but it was noticed that the URL could be controlled by writing a payload to overload window.testLocation.
In a real-world scenario, however, a Content Security Policy (CSP) function in AMP stopped the code from fully executing.
The vulnerability was reported via the Google Vulnerability Reward Program on 15 August 2019. A day later, Google’s team accepted the report, and by 10 September, the team said: “The bug is awesome, thanks for reporting!”
The tech giant notified Bentkowski on 12 October that the bug had been resolved, leading to public disclosure.
ZDNet has reached out to Google but has not heard back at the time of publication.