Google has patched a dangerous vulnerability in Gmail which is related to an instance in which web browsers execute rich code, also known as “DOM Clobbering”.
The bug was reported to the company in August 2019 by a security expert. The available information shows that this is part of the dynamic mail loading engine called AMP4Email.
Gmail Bug Fixed By Google: “DOM Clobbering” Exploit Used Against The Service
Recently news broke about a dangerous bug surrounding Gmail, Google’s email service. The problem lies within the dynamic HTML content loading scripts. The engine which is responsible for this is called AMP4Email — it allows the web browsers to load dynamic elements and rich formatting when the messages are being composed.
Possible security issues arise from the fact that the AMP4Email contains a strong validator which uses the mechanism of a whitelist to enable exactly what type of content can be passed to the email composer. if the users tries to insert an unauthorized HTML element it will be discarded and an error message will be displayed. However a security issue was found, thanks to a legacy web browser feature called DOM Clobbering. In essence this is an old way of referencing to JavaScript objects within a page.
The security analysis of AMP4Email shows that hackers can manipulate the code fields in order to carry out a cross-site scripting attack (XSS attack) that can lead to many problems for the victim users. The main concern is the loading of unauthorized and malicious objects which can carry viruses and web threats. As web email messages are one of the primary messaging channels they are a very likely source of malware. Common ones can include the following types:
- Cryptocurrency Miners — These small-size scripts will load a complex hardware-intensive tasks which will place a heavy toll on the performance of the computers. When one of the tasks is reported as completed the hackers will receive income in the form of cryptocurrency directly wired into their wallets.
- Trojan Code — Simple web scripts can deploy a dangerous Trojan onto the victim machines which will allow the hackers to take over control of the infected machines.
- Phishing Redirects — By inserting URLs or replacing existing ones the hackers can lure in the recipients into opening up fake web pages.
Fortunately Google have resolved the issue in a timely manner and the security researcher has been rewarded via the company’s official bug bounty program. For further information you can read the detailed explanation in the blog of the researcher.