Google patches ‘awesome’ XSS vulnerability in Gmail dynamic email feature

    The bug bounty hunter who disclosed the issue says the bug is a prime example of DOM Clobbering.

    Google has resolved an XSS vulnerability in Gmail described by the tech giant’s own team as “awesome.”

    On Monday, Michał Bentkowski, Chief Security Researcher at Securitum, disclosed the vulnerability through a responsible disclosure process after the bug had been resolved.

    In a blog post, Bentkowski said the security flaw was present in AMP4Email, a feature in Gmail pushed out to general availability in July.

    AMP4Email, also known as dynamic email, was implemented to make it easier for dynamic content to show up in emails, such as comment threads or event invitations.

    AMP4Email does have a validation system in place to prevent cross-site scripting (XSS) attacks from being used to abuse the feature. Certain tags and attributes are whitelisted, and should someone attempt to add another element or attribute that is not permitted, errors occur.

    However, the security researcher noticed that the id attribute is not disallowed in tags, leading to an investigation into whether or not AMP4Email could be subject to DOM Clobbering.


    “DOM Clobbering is a legacy feature of web browsers that just keeps causing trouble in many applications,” the researcher says. “When you create an element in HTML (for instance) and then you wish to reference it from JavaScript, you would usually use a function like document .getElementById(‘username’) or document .querySelector(‘#username’). The legacy way is to just access it via a property of global window object. So window.username is in this case exactly the same as document.getElementById(‘username’).”

    In AMP4Email, some values for the id attribute are restricted. However, when in AMP_MODE, an error caused a 404 if the function tried to load JS files, causing an ‘undefined’ portion in the resultant URL.

    “AMP tries to get property of AMP_MODE to put it in the URL,” the researcher says. “Because of DOM Clobbering, the expected property is missing, hence undefined.”

    The code responsible for the undefined element checks to see if AMP_MODE.test and window.testLocation are truthy, but it was noticed that the URL could be controlled by writing a payload to overload window.testLocation.

    In a real-world scenario, however, a Content Security Policy (CSP) function in AMP stopped the code from fully executing.


    The vulnerability was reported via the Google Vulnerability Reward Program on 15 August 2019.  A day later, Google’s team accepted the report, and by 10 September, the team said: “The bug is awesome, thanks for reporting!”

    The tech giant notified Bentkowski on 12 October that the bug had been resolved, leading to public disclosure.

    ZDNet has reached out to Google but has not heard back at the time of publication.

    Recent Articles

    Donald Trump finally wore a mask in public. Let’s take the high road on this one.

    Look. I don't like Donald Trump. There's evidence of that all over this very website. But I'm not going to razz him for finally...

    Poll: Are you trying the iOS 14 beta or waiting until the fall?

    Apple announced iOS 14 at WWDC 2020 last month with a redesigned home screen and features like widgets, App Library, Car keys, and more....

    Cast and crew of ‘Greyhound’ take viewers behind the scenes in new clip

    Go behind the battle with the cast and crew of 'Greyhound'. What you need to know Apple has released a new behind the scenes video of...

    GBWhatsapp APK Download 2020

    How can I download WhatsApp GB? If you're looking for how to download GBWhatsapp good luck because you're in the right place GBWhatsApp is an enhanced...

    Galaxy Note 8 gets July security update ahead of Galaxy Note 20 launch

    Everyone at Samsung is probably busy preparing for the upcoming Galaxy Note 20 launch, but that hasn’t stopped the company from continuing to push...

    Latest Stories

    Leave A Reply

    Please enter your comment!
    Please enter your name here

    Stay on op - Ge the daily news in your inbox

    Do NOT follow this link or you will be banned from the site!
    Translate »