Google fixes XSS bug in Gmail’s dynamic email feature

AMP4Email took a DOM clobbering

Google has patched a cross-site scripting (XSS) vulnerability in AMP4Email, the dynamic email feature incorporated within Gmail in July.

The tech giant acted after a researcher flagged AMP4Email’s susceptibility to ‘DOM clobbering’ attacks.

Discussing his discovery in a blog post, Securitum’s chief security researcher Michał Bentkowski described DOM clobbering as a legacy feature of web browsers that “just keeps causing trouble in many applications”.

As a dynamic email function, AMP4Email means users can do more than simply reply to email messages: they can also RSVP to events, complete surveys, and browse catalogs, among other things.

AMP4Email whitelists valid tags and attributes to thwart XSS attacks.

But Bentkowski noticed this validation feature didn’t preclude the use of id attributes in tags – opening the door to a so-called ‘DOM clobbering’ attack.

The DOM (Document Object Model) is the programming interface for HTML and XML documents. It provides an object-oriented representation of a web page, which can be modified with a scripting language such as JavaScript.

Explaining DOM clobbering, Bentkowski wrote: “When you create an element in HTML (for instance) and then you wish to reference it from JavaScript, you would usually use a function like document id.getElementById('username') or document .querySelector('#username').

“The legacy way is to just access it via a property of global window object. So window.username is in this case exactly the same as document.getElementById('username').”

Enumerating properties of ‘window’ using clobbered anchor elements, Bentkowski found that some ‘id’ attribute values were forbidden.

But this didn’t include AMP_MODE, which, if the object was clobbered, attempted to load JavaScript files using one of the object's properties, led to a 404 URL containing an “eye-catching” ‘undefined’ in the path.

“AMP tries to get a property of AMP_MODE to put it in the URL,” said Bentkowski, but draws a blank courtesy of DOM clobbering – “hence undefined”.

The code accounting for this ‘undefined’ element tried to check the truthiness of AMP_MODE.test and window.testLocation, but Bentkowski realised the URL could be controlled with a payload that overloaded window.testLocation.

In reality, however, the exploit failed to execute thanks to the AMP’s content security policy (CSP) – which he failed to bypass.

Bentkowski alerted Google to the issue via its vulnerability reward program on August 15, 2019.

On October 12, Google notified Bentkowski that the bug had been patched (probably “way earlier,” said Bentkowski).

YOU MIGHT ALSO LIKE ELK Stack: Exploit for Kibana remote code execution flaw released on GitHub