Tuesday, March 5, 2019
Home / Security / Exploits / Google patches persistent XSS holes in Gmail

Google patches persistent XSS holes in Gmail

Google has closed numerous cross-site scripting (XSS) holes in its Gmail email service – which sustains more than 350 million active users that could have been victim to malicious scripts.  Security research worker Nils Juenemann revealed the three different XSS exposures in Gmail and revealed them to Google’s Security Team as part of the company’s Vulnerability payoff Program, in which researchers are rewarded with up to $20,000 for discovering and reporting qualifying bugs in its web-based services.

The worst Nils Juenemann found was a persistent XSS as this is the most dangerous type of XSS flaws because the data provided by an attacker is saved by the server, then possibly leading to the execution of arbitrary code.

The additional XSS faults were a persistent DOM-based (Document Object Model) XSS bug and a reflective DOM XSS bug in the mobile view for Gmail utilized on, for example, tablets such as the iPad. Juenemann tells that the Google Security Team was agile to secure the bugs after he reported them. Additional points about these can be found in Juenemann’s blog post, in which he also urges that users enable 2-step confirmation on their accounts.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Silent OS 3.0 for Blackphone Completely revamped

Version 3.0 migrates Silent OS to Android Marshmallow 6.0.1 and delivers the Android safety patch …