Google Developers Fixed Gmail Dynamic Messaging XSS-Vulnerability

Information security specialist Michał Bentkowski from Securitum earned $5,000 by identifying the XSS-vulnerability associated with dynamic messaging in Gmail.

Recall the dynamic email feature, also known as Accelerated Mobile Pages (AMP), is designed for email or AMP4Email, and allows using dynamic HTML content in emails. Therefore, users can perform various actions directly from emails, for example, respond to comments in Google Docs, fill out questionnaires, answer on invitations, and so on. Google made this feature publicly available in July this year.

Michał Bentkowski

The feature raises some obvious security questions; the most important one probably being: what about Cross-Site Scripting (XSS)? If we’re allowing dynamic content in emails, does that mean that we can easily inject arbitrary JavaScript code?”, — writes Michał Bentkowski.

While studying AMP4Email, Bentkowski discovered the possibility of XSS attacks. Although AMP4Email provides protection against such problems, the researcher managed to bypass it using the inherited DOM Clobbering function.

This outdated function is known to allow XSS attacks, and using DOM Clobbering, the expert demonstrated that an attacker can add malicious code to an email using AMP4Email, and it will be executed on the victim’s side when opening the message.

Read also: Unsuccessful Google experiment “broke” Chrome in companies around the world

It should be noted that the exploitation of the vulnerability demonstrated by the specialist did not pose a serious risk, since he was unable to bypass the Content Security Policy protection in AMP, which is designed specifically to prevent XSS attacks. In addition, the expert explains that the malicious code of the attacker will be executed in the sandbox of the AMP domain, but not in the Gmail domain.

I didn’t find a way to bypass the CSP. Google in their bug bounty program, don’t actually expect bypassing CSP and pay a full bounty anyway. It was still an interesting challenge; maybe someone else will find way to bypass”, — Michał Bentkowski writes.

However, Google engineers found the Bentkowski find interesting, called the vulnerability “awesome”, and rewarded the researcher with $5,000 in the bug bounty program.