
Stored XSS in GMail for iOS - lelf
http://roy-castillo.blogspot.ru/2013/10/google-mail-hacking-stored-xss-in-gmail_11.html
======
robmcm
Nice to see a company deal with a security flaw with such grace.

It also shows that there isn't a blame culture inside the team, otherwise
people would be looking to cover up this kind of report.

------
mike-cardwell
I found a similar vulnerability in Fastmail.FM last year. They weren't
escaping filenames of email attachments, so you could inject script.
Unfortunately they don't have a bounty program.

<plug> The flaw was discovered automatically by one of the tests in a web
application which I authored:
[https://emailprivacytester.com/](https://emailprivacytester.com/) </plug>

EDIT: I've added a new test to the tester, for hiding a script payload in the
onerror attribute of an img tag in the From header of emails.

------
blackdogie
It seems so simple and straight forward to do this attack, and the $5k pay day
is a nice bonus too. But finding things like this must take a lot of time to
discover. I would love to know about methodologies on how you can start to do
penetration testing.

Does anyone have any recommended resources ? TIA !

~~~
dm2
[https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)

[https://www.owasp.org/index.php/Top_10_2013-Top_10](https://www.owasp.org/index.php/Top_10_2013-Top_10)

[http://www.nsa.gov/ia/_files/support/I733-034R-2007.pdf](http://www.nsa.gov/ia/_files/support/I733-034R-2007.pdf)

[http://www.nsa.gov/ia/_files/factsheets/TSA-13-1019-FS.pdf](http://www.nsa.gov/ia/_files/factsheets/TSA-13-1019-FS.pdf)

[https://code.google.com/p/skipfish/](https://code.google.com/p/skipfish/)

[http://google-gruyere.appspot.com/](http://google-gruyere.appspot.com/)

[http://www.google.com/about/appsecurity/tools/](http://www.google.com/about/appsecurity/tools/)

[http://googleonlinesecurity.blogspot.com/2010/11/rewarding-w...](http://googleonlinesecurity.blogspot.com/2010/11/rewarding-
web-application-security.html)

[http://www-01.ibm.com/software/tivoli/governance/security/ap...](http://www-01.ibm.com/software/tivoli/governance/security/application-
security.html)

[http://www-01.ibm.com/software/tivoli/products/security-
netw...](http://www-01.ibm.com/software/tivoli/products/security-network-
intrusion-prevention/web-application-security.html)

[http://msdn.microsoft.com/en-
us/library/ff649874.aspx](http://msdn.microsoft.com/en-
us/library/ff649874.aspx)

[http://msdn.microsoft.com/en-
us/library/ff649461.aspx](http://msdn.microsoft.com/en-
us/library/ff649461.aspx)

Source: typing "web application security" into google.com

You could probably also search for "Hacking Forums" or something similar and
find lots of black hat resources.

~~~
blackdogie
THANK YOU !

------
jonaslejon
Why is he using Google Analytics for sending the XSS?

~~~
nilsjuenemann
There are two options:

1) He is using Windows and is not using Burp or ZAP proxy for modifying http
requests. With Windows you can't use <>"= in a filename.

2) Gmail is handling emails from Google Analytics a bit different. (I don't
think so)

