Here I present a (reported and fixed) Stored XSS vulnerability I discovered in
mail.google.com, which required no user interaction.
It is due to the phishing alert that, in the basic HTML layout, doesn’t escape correctly characters in the name of the sender. The sender name, which is under the attacker’s control, was printed without proper sanitization when GMail is browsed in the basic HTML layout.
Steps to reproduce
- Go to a well known fake mailer such as Emkei, or use any open relay SMTP server that triggers the phishing alert.
- Send an email to the victim GMail address with the
<img src=# onerror=alert(document.cookie)>.
- Open your Gmail in the basic HTML layout.
- Open the received email. BOOM!
The XSS is stored: just simply reopen the mail anytime you want. This vulnerability was fixed in a matter of hours, I got a reward and have been listed in the Google Security Hall of Fame.
Thank you, Google Security Team! :)