digg

Join DiggAbout

Discover the best of the web!
Learn more about Digg by taking the tour.

Vulnerability In Gmail allowing attackers to run code

ph3rny.blogspot.com — If the preview snippet of a message in gmail contains javascript or html it will be executed.

Bury
show profanity settings
expand all
  • tuxidomasx, on 10/12/2007, -2/+0whoa. if this is new, thats a big issue. seriously. it may be possible to grab google cookies and possibly hijack google sessions. imma try it out on my gmail acct.
  • Khlept0, on 10/12/2007, -0/+0Ouch.

    Ebay And Google get hit with XSS vulns in the same day.

    Hope they fix this before phishing takes the bait.
  • ph3rny, on 10/12/2007, -0/+6It's my blog just so you know.

    Although you could consider it self promotion how else am I supposed to post something like this.
  • tuxidomasx, on 10/12/2007, -0/+0errr. cant reproduce this. maybe they fixed it already?
  • ph3rny, on 10/12/2007, -0/+0for some reason it does not work when sending gmail to gmail
  • ph3rny, on 10/12/2007, -0/+0Try sending from a yahoo email account.
  • juneof44, on 10/12/2007, -0/+0Great find.
  • tuxidomasx, on 10/12/2007, -0/+0ahhh. yup. works like a charm. now for some experimentation ;-)
  • Khlept0, on 10/12/2007, -1/+0I reported this to the gmail security team.
  • bonyicecream, on 10/12/2007, -0/+0gmail just went down so i bet they're fixing it...maybe
  • bonyicecream, on 10/12/2007, -0/+0nvm...not fixed
  • thebosz, on 10/12/2007, -0/+0Fixed now!
  • ph3rny, on 10/12/2007, -0/+0still works for me
  • Khlept0, on 10/12/2007, -0/+0Try sending another email, not one that is already in your box.
  • ph3rny, on 10/12/2007, -0/+0Another note: the subject must be unique
  • thebosz, on 10/12/2007, -0/+0Seems to work randomly on some messages but not others
  • akirakurosawa, on 10/12/2007, -4/+0AAAAAAAAAAAAAHAHAHAAHAA

    DIEEE GOOOOOOOOGGGLEE!!!! DIEEEEEEEEEE!!!!
  • seattle98104, on 10/12/2007, -2/+0well, if this runs does the old obfuscated IE javacsript work that took down myspace for a abit work?
  • jmikel, on 10/12/2007, -0/+0Doesn't seem to work. The last ">" is stripped no matter how short the body text is.
  • Distortion, on 10/12/2007, -0/+0Still working for me.. Keep in mind when you're trying this you need to totally reload the Inbox page: just hitting the refresh button in your browser while there is sufficient.
  • FrostyFire, on 10/12/2007, -0/+0Does anyone have a copy of the screenshot?
  • timewarrior, on 10/12/2007, -0/+0The script execued at the inbox itself.
  • optikshell, on 10/12/2007, -2/+1I'm betting we'll see a fix fairly quickly from google.

    ------------------------------------
    www.UniversityNotes.NET
    Giving Students the Advantage
  • nnonix, on 10/12/2007, -0/+0Ahh, just a vulnerable as the next guy!
  • evan410, on 10/12/2007, -0/+0I can not get it to work. Is it fixed?
  • davidleeroth, on 10/12/2007, -3/+1A bit offtopic, but i cant believe how ***** ugly your firefox is. it was unrecognisable until i saw the taskbar.
    http://www.ipnow.org.nyud.net:8090/vulnerability.png
  • mikechml, on 10/12/2007, -0/+5Seriously, why post it here?
    Why not just e-mail google directly and avoid the frenzy of phishing?
  • niqhil, on 10/12/2007, -0/+0Still works for me.
  • timewarrior, on 10/12/2007, -0/+0It appears that the preview of the message in the inbox window is recognised as code.Doubt if this will work on a bigger piece of code?
  • davidleeroth, on 10/12/2007, -8/+0;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ;;;;;;;;;;;;;
    ;;;;;;;;;;
    ;;;;;
    ;;;
    ;;
    ;
  • davidleeroth, on 10/12/2007, -5/+0im so sorry for posting the above! i didnt mean to send that!
  • wtfunkymonkey, on 10/12/2007, -2/+0holy crikies!
  • outerspaceapple, on 10/12/2007, -0/+3I bet you could include a .js file hosted remotely... then its any man's game
  • ionut, on 10/12/2007, -0/+2Try something like
    document.location='http://www.cnn.com'
    instead of the alert. It's really great to see the redirection. And it's pretty difficult to go back to gmail. So beware.
  • mdmoya, on 10/12/2007, -0/+0It's not working for me at all. Anyone still able to get it to work?
  • -Jeroen-, on 10/12/2007, -0/+0doesn't seem to work for me...
  • noamsml, on 10/12/2007, -1/+3eek, scary. In the meanwhile, all mails to me with the word "script" in them will be immediately archived and have the label "potentially dangerous" applied to it.
  • lightdarknes, on 10/12/2007, -0/+0Server Error

    We're sorry, but Gmail is temporarily unavailable. We're currently working to fix the problem -- please try logging in to your account in a few minutes.

    Probably releated.
  • SSJemmett, on 10/12/2007, -0/+4Take it from me... DO NOT put "location.replace("http://www.yahoo.com");" in the message body unless you want to redirected to Yahoo every time you try to access your inbox. Basically, I can't access my email again until Google fixes this.
  • SSJemmett, on 10/12/2007, -0/+0That last comment has script tags surrounding the javascript but Digg edited them out.
  • imjustabill, on 10/12/2007, -0/+0It doesn't seem to work if it's in basic HTML mode. Is there any way to change your settings to have gmail load in HTML mode and not standard??
  • D14BL0, on 10/12/2007, -0/+0This can be temporarily fixed by disabling snippets in your settings. I keep them off, anyway. It looks more uniform with them disabled. But, that's just me.
  • niner9, on 10/12/2007, -0/+0Doesn't work for me sending from Outlook to gmail.
  • Lite, on 10/12/2007, -0/+0rats its fixed now
  • Eric4, on 10/12/2007, -0/+0You know, this only affects you if you use Webmail. Everyone using POP access should be safe.
  • geminitojanus, on 10/12/2007, -0/+0Okay kids, what have we learned?

    Don't exploit bugs, report them! Hell, if I were Google, I'd pay whoever found this bug. Think about that next time ;)
  • imjustabill, on 10/12/2007, -0/+0SSJemmett: the link for basic HTML mode is: http://mail.google.com/mail/?ui=html&zy=f thats should start it in HTML mode, and the code won't run
  • mikeon, on 10/12/2007, -0/+1Wouldn't turning off preview snippets in the settings stop this?
  • LewsTherin, on 10/12/2007, -0/+1If you're stupid enough to test with a redirect, you can fix it by disabling javascript in your browser, then deleting the e-mail.
  • chadsmith76, on 10/12/2007, -0/+0I get the ... Arrgh! The page has been corrupted. If you are running security or firewall software, you may have to disable it. Learn more error and the emails with the script are not displayed, every once in a while a try again and is displays a bit different each time.
  • Fetching more discussions...
    Show 51 - 100 of 145 discussions
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.