Yesterday, I found a new Google.com XSS vulnerability that can be abused to steal information from Gmail accounts, I’ve done responsible disclosure of at least 3 vulns to Google, but since I haven’t got enough ‘motivation’, I’ll go full disclosure now.
The vulnerability exists in Blogspot polls feature, I had already disclosed a vulnerability on this system. The ‘font’ parameter was not being sanitized before being used inside an STYLE tag, so you could inject IE’s expression() and Mozilla’s -moz-binding. They fixed it, however they didn’t check enough the rest of the code, the new XSS is:
Since its Sunday and there is nothing else to do, I’ve created 2 more pocs, one of them, shows a your contacts, the second one will make Gmail forward all new received emails to another email account, no user interaction required, well you just need to open a website while still logged to Gmail.
I have tested them under IE, Konqueror, Opera and Firefox, it should work on all of them. If you want to be protected against this kind of attacks, I’d highly recommend Firefox + NoScript.
Update: Google fixed this issue, I’d like to ask the people that looked at the second poc to disable forwarding if you have not done so, I’m still getting ton of email. This screenshot shows how to disable forwarding.