Google patches ‘awesome’ XSS vulnerability in Gmail dynamic email feature

The bug bounty hunter who disclosed the issue says the bug is a prime example of DOM Clobbering.
Written by Charlie Osborne, Contributing Writer

Google has resolved an XSS vulnerability in Gmail described by the tech giant's own team as "awesome."

On Monday, Michał Bentkowski, Chief Security Researcher at Securitum, disclosed the vulnerability through a responsible disclosure process after the bug had been resolved. 

In a blog post, Bentkowski said the security flaw was present in AMP4Email, a feature in Gmail pushed out to general availability in July. 

AMP4Email, also known as dynamic email, was implemented to make it easier for dynamic content to show up in emails, such as comment threads or event invitations. 

AMP4Email does have a validation system in place to prevent cross-site scripting (XSS) attacks from being used to abuse the feature. Certain tags and attributes are whitelisted, and should someone attempt to add another element or attribute that is not permitted, errors occur.

However, the security researcher noticed that the id attribute is not disallowed in tags, leading to an investigation into whether or not AMP4Email could be subject to DOM Clobbering

See also: These software vulnerabilities top MITRE's most dangerous list

Document Object Model (DOM) Clobbering has been caused by the gradual increase in complexity when it comes to digital messaging. Emails are rarely now only text-based, and while attempting to facilitate additional content, sanitization has become crucial -- but, sometimes, issues in whitelisting can be exploited to deploy XSS attacks. 

"DOM Clobbering is a legacy feature of web browsers that just keeps causing trouble in many applications," the researcher says. "When you create an element in HTML (for instance) and then you wish to reference it from JavaScript, you would usually use a function like document .getElementById('username') or document .querySelector('#username'). The legacy way is to just access it via a property of global window object. So window.username is in this case exactly the same as document.getElementById('username')."

In AMP4Email, some values for the id attribute are restricted. However, when in AMP_MODE, an error caused a 404 if the function tried to load JS files, causing an 'undefined' portion in the resultant URL. 

CNET: Most Americans don't think it's possible to keep their data private, report says

"AMP tries to get a property of AMP_MODE to put it in the URL," the researcher says. "Because of DOM Clobbering, the expected property is missing, hence undefined."

The code responsible for the undefined element checks to see if AMP_MODE.test and window.testLocation are truthy, but it was noticed that the URL could be controlled by writing a payload to overload window.testLocation.

In a real-world scenario, however, a Content Security Policy (CSP) function in AMP stopped the code from fully executing. 

TechRepublic: Cybersecurity remains the top concern for middle market companies

The vulnerability was reported via the Google Vulnerability Reward Program on 15 August 2019.  A day later, Google's team accepted the report, and by 10 September, the team said: "The bug is awesome, thanks for reporting!" 

The tech giant notified Bentkowski on 12 October that the bug had been resolved, leading to public disclosure. 

ZDNet has reached out to Google but has not heard back at the time of publication. 

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards