A security researcher found a persistent cross-site scripting vulnerability in Gmail, a serious bug that the Google security team has now fixed. The vulnerability is one of three XSS flaws that the researcher, Nils Juenemann, discovered recently and reported to Google.
The persistent XSS in Gmail, Google’s hugely popular webmail service, would have given an attacker the ability to run malicious scripts on a victim’s machine. Cross-site scripting vulnerabilities are perhaps the most common bugs in Web applications, and their properties and causes have been well-documented for several years now. Typical XSS bugs can be dangerous, depending upon the application and the user base. But persistent XSS flaws are even more serious as they can be used to store attacker code on target servers.
Juenemann discovered that there was a way for an attacker to get access to several key pieces of information in the URLs that Gmail generates when it displays a message to a user. When a message is displayed directly, rather than as part of a user’s inbox, it contains both a static user ID and an identifier for the individual message. Those values shouldn’t be available to an attacker, but Juenemann found that he could get them through referrer leaks.
Read more: threatpost