Google has patched a dangerous vulnerability in Gmail which is related to an instance in which web browsers execute rich code, also known as “DOM Clobbering”.
The bug was reported to the company in August 2019 by a security expert. The available information shows that this is part of the dynamic mail loading engine called AMP4Email.
Gmail Bug Fixed By Google: “DOM Clobbering” Exploit Used Against The Service
Recently news broke about a dangerous bug surrounding Gmail, Google’s email service. The problem lies within the dynamic HTML content loading scripts. The engine which is responsible for this is called AMP4Email — it allows the web browsers to load dynamic elements and rich formatting when the messages are being composed.
The security analysis of AMP4Email shows that hackers can manipulate the code fields in order to carry out a cross-site scripting attack (XSS attack) that can lead to many problems for the victim users. The main concern is the loading of unauthorized and malicious objects which can carry viruses and web threats. As web email messages are one of the primary messaging channels they are a very likely source of malware. Common ones can include the following types:
- Cryptocurrency Miners — These small-size scripts will load a complex hardware-intensive tasks which will place a heavy toll on the performance of the computers. When one of the tasks is reported as completed the hackers will receive income in the form of cryptocurrency directly wired into their wallets.
- Trojan Code — Simple web scripts can deploy a dangerous Trojan onto the victim machines which will allow the hackers to take over control of the infected machines.
- Phishing Redirects — By inserting URLs or replacing existing ones the hackers can lure in the recipients into opening up fake web pages.
Fortunately Google have resolved the issue in a timely manner and the security researcher has been rewarded via the company’s official bug bounty program. For further information you can read the detailed explanation in the blog of the researcher.