XSS in GMail – no user interaction.

Steps to reproduce:

  • Use any fake mailer, or use any open relay SMTP server that trigger the phishing alert.
  • Send an email to the victim GMail address with the From field:

<img src=# onerror=alert(document.cookie)>.

  • Choose UTF-8 as encoding.
  • Open your Gmail in the basic HTML layout.
  • Open the received email. BOOM!

xss_gmail

Vulnerability status: FIXED !

Comments

comments