Teen Blogger Discovers GMail Javascript Vulnerability
A 14 year old blogger (aren’t all 14 year olds bloggers?) recently discovered a hole in Google Gmail which allows automatic javascript execution when someone is using the email preview function.
From Ph3rny’s Blogspot hosted Blogger Blog :
I was recently attempting to mail some javascript code from my yahoo account to my gmail when I came across this vulnerability.
Apparently javascript will run if it is withing the preview of the message.
I only tested this sending from a yahoo account. Sending gmail to gmail appears to filter this out.
This is what the message has to compose of
* A short subject to increase the ammount of code to run
* A short bit of text in the body so that the code isn’t treated as quoted text
* And your code
My simple test was : Subject: a Body:
Here is a screen: http://www.ipnow.org/vulnerability.png
This vulnerability could be used to gather email addresses. Or even possibly to compromise the account.
Google’s Gmail has since addressed and fixed the flaw :
“We learned of a minor security flaw in Gmail a little while ago and worked quickly to fix the problem, which has now been resolved. We encourage all vulnerability reporters to follow responsible disclosure practices and notify vendors first before making the vulnerability public.”