Advertisement

Teen Blogger Discovers GMail Javascript Vulnerability

  • 907
    READS
Teen Blogger Discovers GMail Javascript Vulnerability

Teen Blogger Discovers GMail Javascript Vulnerability

A 14 year old blogger (aren’t all 14 year olds bloggers?) recently discovered a hole in Google Gmail which allows automatic javascript execution when someone is using the email preview function.

From Ph3rny’s Blogspot hosted Blogger Blog :

I was recently attempting to mail some javascript code from my yahoo account to my gmail when I came across this vulnerability.

Apparently javascript will run if it is withing the preview of the message.

I only tested this sending from a yahoo account. Sending gmail to gmail appears to filter this out.

This is what the message has to compose of

* A short subject to increase the ammount of code to run

* A short bit of text in the body so that the code isn’t treated as quoted text

* And your code

My simple test was : Subject: a Body:

Here is a screen: http://www.ipnow.org/vulnerability.png

This vulnerability could be used to gather email addresses. Or even possibly to compromise the account.

Google’s Gmail has since addressed and fixed the flaw :

“We learned of a minor security flaw in Gmail a little while ago and worked quickly to fix the problem, which has now been resolved. We encourage all vulnerability reporters to follow responsible disclosure practices and notify vendors first before making the vulnerability public.”

CategorySEO
ADVERTISEMENT

Subscribe to SEJ

Get our daily newsletter from SEJ's Founder Loren Baker about the latest news in the industry!

Ebook

Loren Baker

Loren Baker is the Founder of SEJ, an Advisor at Alpha Brand Media and runs Foundation Digital, a digital marketing ... [Read full bio]

ADVERTISEMENT
Advertisement
Read the Next Article
Read the Next