Friday, October 11, 2013

Google Mail Hacking - Stored XSS in GMail for iOS



Hi! Just want to share my finding, I have found Stored XSS Vulnerability in GMail for iOS. With no user interaction, enjoy ;-)

GMail for iOS contained an XSS vulnerability in its “Mail Attachment” feature. This bug was reported to Google Security Team, fixed immediately.


About

Title: Stored XSS in GMail for iOS
Business Risk: High
Discovery Date: October 8, 2013
Payload: <img src=x onerror=alert(0)>
Author: Roy Castillo (me)

Steps to Reproduce


1. Login to Google Analytics
2. Create an account and name it <img src=x onerror=alert(0)>
3. Go to Reporting -> Real Time -> Overview -> Email
4. Send an email to the victim GMail address.


5. Open your GMail for iOS
6. Open the received email.
7. XSSED

Stored XSS in GMail for iOS

The filename of the attachment was not escaped correctly and I was able to get the Stored XSS triggered. By using the generated report from Google Analytics I could inject script code that was executed on mail.google.com. The XSS is stored just simply reopen the mail anytime you want.

Google Security Team was pretty fast to address this issue and resolved this the next day itself. Google Security team awarded this bug with $5000.

Achievement unlocked: $5000 reward for XSS at google.com ;)

Thank you Google Security Team!

Disclosure Timeline

October 8, 2013 at 6:14 AM (GMT +08:00): Vulnerability Discovered
October 8, 2013 at 2:59 PM (GMT +08:00): Initial Report
October 8, 2013 at 2:59 PM (GMT +08:00): Autorespose from Security bot
October 9, 2013 at 12:17 AM (GMT +08:00): First response from Security Team
October 9, 2013 at 7:45 AM (GMT +08:00): Bounty Rewarded.
October 10, 2013: Vulnerability Fixed
October 12, 2013: Full Disclosure Published



Best,

Roy Castillo

11 comments:

  1. :D nice one, congratulations on the bounty.

    ReplyDelete
  2. Man your bugs are cool . I like the way you think :D

    ReplyDelete
  3. Amazing! I never image onError can run. Really smart! But is run just because you send through Google Analytics, right?

    ReplyDelete
  4. The personal items are always important to be stored in the first place. So, if you’ve rented a storage space or thought about it, the time is right now for you to consider insurance options since some renting facilities will not cover your stuff.
    Storage in Vancouver, WA

    ReplyDelete
  5. Copied your bug report blog post into http://bughunters.thebestbug.com/index.php?title=Bug3-Google_Mail_Hacking_-_Stored_XSS_in_GMail_for_iOS (trying a wiki with bugs rewarded). hope you are ok with it and maybe you can add entries there yourself

    ReplyDelete
  6. Thanks for the blog...very nice description about Online Tech Support...Good luck!!!
    For Online Tech Support,please follow the website: Gmail Technical Support

    Thankyou
    Lacy Brown

    ReplyDelete