XSS security hole in Gmail’s dynamic email
Credit to Author: John E Dunn| Date: Wed, 20 Nov 2019 12:08:45 +0000
Did Android users celebrate loudly when Google announced support for Accelerated Mobile Pages for Email (AMP4Email) in its globally popular Gmail service in 2018?
Highly unlikely. Few will even have heard of it, nor have any idea why the open source technology might improve their webmail experience.
They might, however, be interested to learn that a researcher, Michał Bentkowski, of Securitum, recently discovered a surprisingly basic security flaw affecting Google’s implementation of the technology.
The intention behind AMP4Email, called ‘dynamic email’ in Gmail, was to reduce tab-clutter and make viewing email more like viewing and interacting with web pages, by allowing, for example, filling out reservation forms or searching Pinterest from within an email.
For examples of what dynamic email looks like in Gmail, scroll through Google’s 2018 YouTube demo featuring AMP4Email examples taken from Doodle, Booking.com and Pinterest.
AMP4Email beats plain HTML hands down but from the start Google knew this could potentially open the door to a security wrangle – the more things an email can do, the more likely someone will abuse those capabilities maliciously.
That’s why dynamic email senders are required to use TLS encryption, as well as deploying email authentication using DKIM, SPF, and DMARC so not just anyone could spray users with empowered malicious spam.
As for the content, to avoid the possibility that attackers might execute JavaScript to attempt a Cross-Site Scripting (XSS) attack, senders must also build email content using an allow list of tags and attributes or risk validation errors that stop it rendering.
XSS is bad enough when users are lured to a vulnerable website. Embedding this in an email is even more dangerous because the threat is being delivered straight to users’ webmail inboxes.
DOM clobbering
Stopping such threats by limiting the possibilities requires a form of sanitising. In AMP4Email, this included blocking custom JavaScript but not, apparently, the HTML id attribute.
Bentkowski cites this as an example of the Document Object Model (DOM) ‘clobbering’ – basically an oversight in the sanitisation process caused by the attempt to balance the need for webmail content to display without opening an XSS hole.
Having uncovered the id attribute issue, all he had to do was use trial and error to find a vulnerable condition.
Google was told of the issue in August and was impressed enough to reply:
The bug is awesome, thanks for reporting!
What to do?
The bug was fixed at least a month ago so users receiving AMP4Email/dynamic email content have one less thing to worry about.
In fairness to Google, AMP4Email only reached general availability in July, so it’s early days. Gmail users can turn it off via Settings > the General tab > Dynamic email > Enable dynamic email.
This should be turned on by default unless the user has previously disabled image display through the Ask before displaying images setting, which has the side effect of disabling dynamic email.