Issue metadata
Sign in to add a comment
|
Security: XSS issue in Google Mail
Reported by
suhas0...@gmail.com,
Jun 12 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS XSS vector gets executed in Google Mail, Google Chrome Version 51.0.2704.84 on 12th Jun,2016 CET VERSION Chrome Version: 51.0.2704.84 stable Operating System: Windows 7 REPRODUCTION CASE 1. Login to your Google account using Google Chrome browser (Tested with Version 51.0.2704.84 on 12th Jun,2016 CET) 2. Install Mail Track extension to Google chrome Browser. (https://chrome.google.com/webstore/detail/mailtrack-for-gmail/ndnaehgpjlnokgebbaldlmgkapkpjkkb?hl=en) 3. Now visit https://www.google.com/maps/ 4. Click menu and go to Your places -> Maps and click create maps 5. Create map with title as <IMG SRC=x onerror="javascript:alert('Hacked by Suhas Gaikwad ;)');"> 6. Share map with Victim or self. 7. Onload of gmail XSS gets executed. Tested with following vectors a. <IMG SRC="javascript:alert('XSS');" onerror="javascript:alert(document.cookie);"> b. "><img src=x onerror=alert(1)/> c. <IMG SRC=x onerror="javascript:alert(document.domain);"> d. <img src=x onerror=window.open('https://www.google.com/');> Or Simple way , attacker can able to send email to victim with subject as <IMG SRC=x onerror="javascript:alert(document.domain);"> OR <img src=x onerror=window.open('https://www.google.com/');> and it will get executed. Please refer video at : https://youtu.be/cjUWbz0vy1s Attack senario : Ask victim to install Google chrome - MailTrack extension and create Google map or send email with XSS vector as a title to victim. e.g. : <IMG SRC=x onerror="javascript:alert(document.domain);"> Also using xss vector as <img src=x onerror=window.open('https://www.google.com/');> , attacker can able to do OpenRedirect in Gmail. This issue is because of MailTrack extension, disabling MailTrack extension mitigate XSS vulnerability. Let me know if you need more details. Thank you.
,
Jun 13 2016
ackermanb: Can you help carry out the communication with the extension developer? Thanks.
,
Jun 13 2016
Sure, I will coordinate with the policy folks.
,
Jun 13 2016
@Team, Thank you for quick update. MailTrack extension used by more than 400000+ users so its risk for all users. Attacker can able to take over victims Google account via XSS.Is there any way to handle such security issues in Google Chrome browser extensions in future. Let me know if you need any details from my end.
,
Jun 16 2016
The developer pushed a fix to this yesterday. I ran it through the steps to reproduce and didn't see the vulnerability anymore. Thanks for the report!
,
Jun 17 2016
,
Jun 17 2016
@Team, Thank you for update. Is my report eligible for reward / Hall of fame / swag from Google Chrome ? Thank you.
,
Jul 14 2016
Sorry I'm afraid it's not, and we've got to be careful of things like http://dilbert.com/strip/1995-11-13 :-) But thank you very much for the report - if you use your skills to find problems in Chrome itself or other Google apps/sites you very might well be. Keep up the good work!
,
Sep 23 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by nparker@chromium.org
, Jun 13 2016Components: Platform>Extensions
Labels: Security_Severity-Medium Security_Impact-None