I was recently attempting to mail some javascript code from my yahoo account to my gmail when I came across this vulnerability.
Apparently javascript will run if it is withing the preview of the message.
I only tested this sending from a yahoo account. Sending gmail to gmail appears to filter this out.
This is what the message has to compose of
* A short subject to increase the ammount of code to run
* A short bit of text in the body so that the code isn’t treated as quoted text
* And your code
My simple test was : Subject: a Body: asdfasdf<script>alert(”asdF”);</script>
Here is a screen: http://www.ipnow.org/vulnerability.png
This vulnerability could be used to gather email addresses. Or even possibly to compromise the account.
A 14 year old, Anthony discovered this vulnerability. Right now this has been fixed by Google but no statement has been issued by them regarding this.
0 Responses to “Vulnerability in Gmail”
Leave a Reply