Latest Gmail Feature Comes With Serious Security Risks
Google recently released a Gmail feature intended to make webmail experiences more dynamic. Sadly, reports claim that this new dynamic feature comes with an old security issue or vulnerability. Additionally, Securitum Chief Security Researcher Michal Bentkowski discovered a security vulnerability and is now looking into the possibility that this new feature might be used as an opportunity to inject arbitrary JavaScript code.
Back in Oct. 2015, Google announced the Accelerated Mobile Pages (AMP) project developed mainly to enhance mobile web performance. In February 2016, the first web pages delivered to users surfaced. Adobe reported that US publishers saw a seven percent increase in total traffic across all platforms because of Google AMP within the year of its launch.AMP4Email introduces engaging and dynamic content in the Gmail party’s inbox. It promises dynamic interaction in the manner that we are all used to through smartphone apps but within email correspondences. The only problem is that, according to Bentkowski, the feature also brought the possibility of launching a cross-site scripting attack by hackers.
This particular cross-site scripting (XSS) vulnerability is a recurrent and obstinate issue in terms of secure development. In other words, the XSS vulnerability of Google’s AMP4EMail allows attackers to deploy malicious scripts inside the web application. The security researcher discovered this vulnerability in the Google Gmail AMP4Email implementation, which he refers to as DOM Clobbering, also known as real-world exploitation of a prevalent browser issue.
Document Object Model (DOM) clobbering is a web browser’s legacy feature. This method, instead of utilizing a function to reference an HTML-developed element from JavaScript, accesses it through a property of a global window object. DOM Clobbering can lead to interesting vulnerabilities if the app makes a decision based on the existence of particular global variables, explains Bentkowski. It means that there is a potential for an attacker to use malicious code in the dynamic Gmail message that could get deployed in the browser when the recipient opened that particular email.
The search engine giant is taking the vulnerability more seriously to call the discovery as awesome. Bentkowski reported his discovery using the Google Vulnerability Reward Program last Aug. 15. Google reportedly confirmed its receipt on Oct. 12. Forbes said that the security researcher received $5,000 (£3,895) as a reward from the search engine giant.
© Copyright IBTimes 2024. All rights reserved.