I only tested this sending from a yahoo account. Sending gmail to gmail appears to filter this out.
This is what the message has to compose of
* A short subject to increase the ammount of code to run
* A short bit of text in the body so that the code isn’t treated as quoted text
* And your code
My simple test was : Subject: a Body:
Here is a screen: http://www.ipnow.org/vulnerability.png
This vulnerability could be used to gather email addresses. Or even possibly to compromise the account.
Google’s Gmail has since addressed and fixed the flaw :
“We learned of a minor security flaw in Gmail a little while ago and worked quickly to fix the problem, which has now been resolved. We encourage all vulnerability reporters to follow responsible disclosure practices and notify vendors first before making the vulnerability public.”