Google Vulnerability

Yesterday, I found a new XSS vulnerability that can be abused to steal information from Gmail accounts, I’ve done responsible disclosure of at least 3 vulns to Google, but since I haven’t got enough ‘motivation’, I’ll go full disclosure now.

The vulnerability exists in Blogspot polls feature, I had already disclosed a vulnerability on this system. The ‘font’ parameter was not being sanitized before being used inside an STYLE tag, so you could inject IE’s expression() and Mozilla’s -moz-binding. They fixed it, however they didn’t check enough the rest of the code, the new XSS is:

Simple XSS POC

Since its Sunday and there is nothing else to do, I’ve created 2 more pocs, one of them, shows a your contacts, the second one will make Gmail forward all new received emails to another email account, no user interaction required, well you just need to open a website while still logged to Gmail.


I have tested them under IE, Konqueror, Opera and Firefox, it should work on all of them. If you want to be protected against this kind of attacks, I’d highly recommend Firefox + NoScript.

Update: Google fixed this issue, I’d like to ask the people that looked at the second poc to disable forwarding if you have not done so, I’m still getting ton of email. This screenshot shows how to disable forwarding.


47 thoughts on “Google Vulnerability

  1. Pingback: » GoogHOle (XSS pwning GMail, Picasa and almost 200K customers)

  2. Pingback: Gmail XSS exploit - Google XSS - Gmail vulnerability

  3. Pingback: » Multi Google Security Holes Revealed

  4. Pingback: [SSD] Security & Development Blog » Semana negra para Google

  5. Pingback: Google Vulnerabilities Reveal Your Gmail Contacts & Messages

  6. Pingback: Unholy trinity of flaws put Google users at risk - Computer Forums

  7. Pingback: Ryan Naraine’s Zero Day mobile edition

  8. Pingback: Hackers expose holes in GMail, Blogspot, Search Appliance | xMoDx

  9. Pingback: » Hackers expose holes in GMail, Blogspot, Search Appliance

  10. Pingback: ·¨-=[WHK]=-¨· » Archive » Multiples vulnerabilidades en los productos de Google

  11. Pingback: Så kan Gmail-användare skydda sin e-post från att bli stulen « Webbsnack

  12. Pingback: Nuove vulnerabilità per i servizi Google « APNIBI blog

  13. Pingback: » Welkom » Google Analytics, Picasa, Polls en Search Appliance zijn lek !

  14. Pingback: eBusiness Industry News » Blog Archive » Bullseye on Google: Hackers expose holes in GMail, Blogspot, Search Appliance

  15. Pingback: me@myself » Google funciona como reloj…

  16. Pingback: [SSD] Security & Development Blog » Colección de vulnerabilidades XSS en aplicaciones de Google

  17. Pingback: Ernstig lek in maildienst Google - Game Forums

  18. Pingback: Geekotic · Loa agujeros de Google

  19. Pingback: A rough week for Google security — Security Bytes

  20. Hi –

    I think perhaps both links do the forwarding? I believe that I only clicked on the contacts link.

    But it looks like this sets up forwarding on the gmail account in question to your mailbox, since my gmail account has been forwarding to you for a couple of days.

    Your account is now full, and bouncing, so I suspect I’m not the only one that clicked on it, and was left with all their email forwarding to you.

    Sorry about that, and, of course, please delete.

  21. Pingback: Luka w Gmail at

  22. Ah, I’m dumb, I had no idea POC turned on gmail forwarding. Sorry for mailbombing you Fernando, I did not fully understand your POC.. and I get a LOT of freakin email via various Linux/FreeBSD mailing lists.

  23. I guess that I should have added a bigger/better explained warning, I wasn’t expecting the exposure I got such as being on slasdot/cnet/theregister/etc. I’ve just disabled that email account.

    All the code is up there, only the second poc enabled forwarding

  24. Great job, sir!

    I actually played with your POC and then forgot about it… I guess I should have payed more attention!

    It’s amazing to know just how many of us will click a link even when we know its bad… and it’s scary just how easy it is exploit something that most of us use.

    Excellent POC, excellent job!

    P.S. please disregard all the securityfocus spam and porn that I sent you… =)

  25. Pingback: The Blog That Goes Ping » Blog Archive » De-Gmailing.

  26. Pingback: Websecurity - ??? ???????

  27. Pingback: ???? ? ????‌??? ?????? ! « ???????? :: Punisher ::

  28. Pingback: Anche i ricchi sbagliano « Ket! che ci fai in Congo?

  29. Pingback: WARNING: Google’s GMail security failure leaves my business sabotaged :: David Airey :: Graphic and Logo Designer

  30. Disable filtering? Wouldn’t simply reviewing your filters work to remove any evil ones? Or am I missing something?

  31. Michael: There seems to be some confusion regarding this vulnerability/poc with pdp’s find. This only allowed to use Gmail’s built in option to forward incoming email, pdp’s find used a CSRF on Gmail to inject evil filters. According to what I read, David Airey’s account was attacked by using CSRF.

    To reverse my attack, you have to disable Forwarding, and for pdp’s you have to remove evil filters from your filters list.

  32. Pingback: Check your Gmail filters! » thepinkc

  33. Okay so two different exploits. I am still confused and now concerned as well. Your post is rather unclear about what the second exploit does, how to undo it, or if Google has or hasn’t fixed the issue. Some of us would like to be able to use forwarding again on our accounts!

  34. I think I have resolved my confusion. It isn’t that a user needs to disable forwarding, it is they need to remove the address your attack places in the pop/Forwarding page (unlike the previous attack which worked via filters). Correct?

    Many thanks.


  35. Pingback: David Airey :: Graphic and Logo Designer » WARNING: Google’s GMail security failure leaves my business sabotaged

  36. Pingback: Real-word CSRF hack | Mike Andrews

  37. My girlfriend just told me that she was seeing some “weird messages” on her account, and on inspection it looks like she fell foul of an exploit akin to your second POC quite some time ago – she’s only been getting messages now because the mailserver it’s trying to forward to has been failing.

    I didn’t hear about this exploit when it was first found, and I’m reasonably technically-focused; my girlfriend didn’t stand a chance. I’m astonished that Google didn’t send out any kind of alert to their users when they patched the hole, because anyone who’d been exploited would still have the forwarding rule in place even after the patch.

  38. Pingback: Gmail Vulnerability caused Domain loss | Domain Name News | Domain News | Expired Domains

  39. Pingback: ¿Antigua vulnerabilidad de Gmail provoca pérdida de un dominio? |

Leave a Reply

Your email address will not be published. Required fields are marked *