Stored XSS in GMail

July 8, 2013

Here I present a (reported and fixed) Stored XSS vulnerability I discovered in, which required no user interaction.

It is due to the phishing alert that, in the basic HTML layout, doesn’t escape correctly characters in the name of the sender. The sender name, which is under the attacker’s control, was printed without proper sanitization when GMail is browsed in the basic HTML layout.

Steps to reproduce

  1. Go to a well known fake mailer such as Emkei, or use any open relay SMTP server that triggers the phishing alert.
  2. Send an email to the victim GMail address with the From field: <img src=# onerror=alert(document.cookie)>.
  3. Choose UTF-8 as encoding.
  4. Open your Gmail in the basic HTML layout.
  5. Open the received email. BOOM!
Screenshot of the Stored XSS vulnerability triggered

The XSS is stored: just simply reopen the mail anytime you want. This vulnerability was fixed in a matter of hours, I got a reward and have been listed in the Google Security Hall of Fame.

Thank you, Google Security Team! :)

XSS in Google Finance

Flash-based XSS in Nokia's MediaElements component