قام مطورو Google بإصلاح ثغرة أمنية في خدمة الرسائل الديناميكية XSS في Gmail

حصل متخصص أمن المعلومات Michał Bentkowski من Securitum $5,000 by identifying the XSS-vulnerability associated with dynamic messaging in Gmail.

Recall the dynamic email feature, also known as Accelerated Mobile Pages (AMP), is designed for email or AMP4Email, and allows using dynamic HTML content in emails. Therefore, users can perform various actions directly from emails, على سبيل المثال, respond to comments in Google Docs, fill out questionnaires, answer on invitations, وما إلى ذلك وهلم جرا. جوجل made this feature publicly available in July this year.

The feature raises some obvious security questions; the most important one probably being: what about Cross-Site Scripting (XSS)? If we’re allowing dynamic content in emails, does that mean that we can easily inject arbitrary JavaScript code?", - يكتب Michał Bentkowski.

While studying AMP4Email, Bentkowski discovered the possibility of XSS attacks. Although AMP4Email provides protection against such problems, the researcher managed to bypass it using the inherited DOM Clobbering function.

This outdated function is known to allow XSS attacks, and using DOM Clobbering, the expert demonstrated that an attacker can add malicious code to an email using AMP4Email, and it will be executed on the victim’s side when opening the message.

اقرأ أيضا: تجربة Google غير الناجحة "أدت إلى تعطيل" Chrome في الشركات حول العالم

It should be noted that the exploitation of the vulnerability demonstrated by the specialist did not pose a serious risk, since he was unable to bypass the Content Security Policy protection in AMP, which is designed specifically to prevent XSS attacks. فضلاً عن ذلك, the expert explains that the malicious code of the attacker will be executed in the sandbox of the AMP domain, but not in the Gmail domain.

I didn’t find a way to bypass the CSP. Google in their bug bounty program, don’t actually expect bypassing CSP and pay a full bounty anyway. It was still an interesting challenge; maybe someone else will find way to bypass”, — Michał Bentkowski writes.

لكن, Google engineers found the Bentkowski find interesting, called the vulnerability “awesome", and rewarded the researcher with $5,000 in the bug bounty program.