Google was recently forced to patch a serious cross-site scripting (XSS) vulnerability on your favorite email client, Gmail.
The Gmail vulnerability was discovered by an ethical hacker and chief security researcher at Securitum, Michal Bentkowski. The serious vulnerability was found in one of Gmail’s features known as the Accelerated Mobile Pages for Mail (AMP4Email), which is also known as Dynamic Mail.
AMP4Email is generally structured like any other web page that uses HTML tags, which makes it susceptible to XSS attacks. Michal Bentkowski used a technique known as DOM Clobbering to find a way through which he could bypass Gmail’s anti-XSS protections and launch an attack on any organization or individual using Gmail for communication and task collaboration.
Such cross-site scripting attacks have become quite common today. The XSS attack makes it possible for a hacker to easily run any malicious code within your web browser and even launch any form of attack including ransomware.
What is Cross-Site Scripting?
Cross-site scripting, known in short as XSS is an injection attack in which the attacker injects malicious scripts into a trusted and legitimate website. The XSS is in this case used to dupe unsuspecting users into believing that they are dealing with legitimate sources or people.
If your web browser cannot identify malicious scripts disguised as trusted sources, you will easily fall victim to an XSS attack. The attacker can then access all browser-related information such as cookies, saved passwords, and session tokens just to mention a few.
XXS attacks happen in two ways:
- When you enter data to an application on the web through an untrusted source
- Through Data included in content sent to an end-user without scanning and validating the presence of malicious code in the data.
The attacks are also classified as stored or reflected XSS attacks. A stored XSS attack happens when the malicious script is stored in your server while the reflected attack happens when the script injected by the hacker reflects off the server via an error message.
XSS attacks are mostly deployed through emails or web page forms. The attacker basically tricks the end-user to download or access the malicious script by presenting the script through seemingly harmless and legitimate means.
The attacks can also happen as DOM XSS attacks through JavaScript frameworks, website APIs, or single-page applications that come with hacker-controlled data dynamically included in the data. That’s the kind of vulnerability a security expert recently discovered on Gmail.
Conclusion
The recent patching of a serious XSS vulnerability on Gmail demonstrates how ransomware attacks can happen even on one of the most trusted email services in the world.
Google is known for having several protection measures and security filters in their services but you cannot completely disregard the fact that an ethical hacker could still use loopholes in Gmail to build a practical XSS exploit. Bad actors can also use similar exploits as a vector for ransomware.
It is therefore important to deploy tight security measures on not only your web content but on your emails too.
Ensure that you have proper security practices such as having a reliable web application firewall and always scanning email attachments for malicious content that could leave your website and network vulnerable to attacks.