Friday, October 11, 2013

Google Mail Hacking - Stored XSS in GMail for iOS



Hi! Just want to share my finding, I have found Stored XSS Vulnerability in GMail for iOS. With no user interaction, enjoy ;-)

GMail for iOS contained an XSS vulnerability in its “Mail Attachment” feature. This bug was reported to Google Security Team, fixed immediately.


About

Title: Stored XSS in GMail for iOS
Business Risk: High
Discovery Date: October 8, 2013
Payload: <img src=x onerror=alert(0)>
Author: Roy Castillo (me)

Steps to Reproduce


1. Login to Google Analytics
2. Create an account and name it <img src=x onerror=alert(0)>
3. Go to Reporting -> Real Time -> Overview -> Email
4. Send an email to the victim GMail address.


5. Open your GMail for iOS
6. Open the received email.
7. XSSED

Stored XSS in GMail for iOS

The filename of the attachment was not escaped correctly and I was able to get the Stored XSS triggered. By using the generated report from Google Analytics I could inject script code that was executed on mail.google.com. The XSS is stored just simply reopen the mail anytime you want.

Google Security Team was pretty fast to address this issue and resolved this the next day itself. Google Security team awarded this bug with $5000.

Achievement unlocked: $5000 reward for XSS at google.com ;)

Thank you Google Security Team!

Disclosure Timeline

October 8, 2013 at 6:14 AM (GMT +08:00): Vulnerability Discovered
October 8, 2013 at 2:59 PM (GMT +08:00): Initial Report
October 8, 2013 at 2:59 PM (GMT +08:00): Autorespose from Security bot
October 9, 2013 at 12:17 AM (GMT +08:00): First response from Security Team
October 9, 2013 at 7:45 AM (GMT +08:00): Bounty Rewarded.
October 10, 2013: Vulnerability Fixed
October 12, 2013: Full Disclosure Published



Best,

Roy Castillo

45 comments:

  1. :D nice one, congratulations on the bounty.

    ReplyDelete
  2. Man your bugs are cool . I like the way you think :D

    ReplyDelete
  3. Amazing! I never image onError can run. Really smart! But is run just because you send through Google Analytics, right?

    ReplyDelete
  4. The personal items are always important to be stored in the first place. So, if you’ve rented a storage space or thought about it, the time is right now for you to consider insurance options since some renting facilities will not cover your stuff.
    Storage in Vancouver, WA

    ReplyDelete
  5. Copied your bug report blog post into http://bughunters.thebestbug.com/index.php?title=Bug3-Google_Mail_Hacking_-_Stored_XSS_in_GMail_for_iOS (trying a wiki with bugs rewarded). hope you are ok with it and maybe you can add entries there yourself

    ReplyDelete
  6. Thanks for the blog...very nice description about Online Tech Support...Good luck!!!
    For Online Tech Support,please follow the website: Gmail Technical Support

    Thankyou
    Lacy Brown

    ReplyDelete
  7. Thanks to post this article. Mobile Application Development is play great role in business.Great job.keep it up.

    ReplyDelete
  8. There are also other options you can choose here too, but the ones I use the most are Skip the Inbox and Apply the Label. https://www.behance.net/gallery/40444073/Change-Or-Reset-Your-Google-Account-Password?

    ReplyDelete
  9. Finding the time and actual effort to create a superb article like this is great thing. I’ll learn many new stuff right here! Good luck for the next post buddy..
    IOS Training in Chennai

    ReplyDelete
    Replies
    1. wow give me training..hey please sent me some auto approval backlinks.
      www.umangseo5008@gmail.com

      Delete
  10. Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straight forward and to the point.
    Mcdonalds gutscheine | Startlr | salud limpia

    ReplyDelete
  11. It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me...
    Android Training in Chennai
    Ios Training in Chennai

    ReplyDelete
  12. Wow very nice blog and got great idea about gmail hacking....
    IOS course in chennai

    ReplyDelete
  13. If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you must watch this video
    right away...

    (VIDEO) Have your ex CRAWLING back to you...?

    ReplyDelete
  14. http://www.yahoosuppotphonenumber.net /
    Yahoo Support Phone Number
    Yahoo is useful platform for its users. While users use their yahoo platform they can get enhanced services because yahoo provides better and the most updated services for all its users. Even though it is user oriented but for better experience it makes sure that customized and personalized services can be enabled for each of its users.

    ReplyDelete
  15. We are 3rd party technical support team. Get Gmail customer service number+1-866-641-8283 or Gmail toll free number. We're Here to Help about your gmail account related.

    ReplyDelete
  16. You rock particularly for the high caliber and results-arranged offer assistance. I won't reconsider to embrace your blog entry to anyone who needs and needs bolster about this region.
    fire and safety course in chennai

    ReplyDelete
  17. I wish to show thanks to you just for bailing me out of this particular trouble. As a result of checking through the net and meeting techniques that were not productive, I thought my life was done.
    nebosh course in chennai

    ReplyDelete
  18. Great content thanks for sharing this informative blog which provided me technical information keep posting.
    python course in pune
    python course in chennai
    python course in Bangalore

    ReplyDelete
  19. Webroot antivirus is one of the mostly increasing antivirus programs, which has become well-known in no time. It is useful to protect your PC, Laptop and mobile etc.
    Webroot Antivirus Support Number
    Quickbooks Payroll Support
    Quicken Tech Support Number
    Gmail Technical Support Number
    Turbo Tax Tech Support Number

    ReplyDelete
  20. Your post is really awesome. Your blog is really helpful for me to develop my skills in a right way. Thanks for sharing this unique information with us.
    - Learn Digital Academy

    ReplyDelete
  21. Thanks for the good words! Really appreciated. Great post. I’ve been commenting a lot on a few blogs recently, but I hadn’t thought about my approach until you brought it up. 
    Best Devops training in sholinganallur
    Devops training in velachery
    Devops training in annanagar
    Devops training in tambaram

    ReplyDelete
  22. Such an excellent and interesting blog, Do post like this more with more information, This was very useful, Thank you.
    Aviation Academy in Chennai
    Aviation Courses in Chennai
    best aviation academy in chennai
    aviation institute in chennai

    ReplyDelete