Vulnerability in Gmail discovered by 14 year old - GoFuckYourself.com

RayBonga · 03-02-2006, 04:32 PM

Quote:

Vulnerability in Gmail
I was recently attempting to mail some javascript code from my yahoo account to my gmail when I came across this vulnerability.

Apparently javascript will run if it is withing the preview of the message.

I only tested this sending from a yahoo account. Sending gmail to gmail appears to filter this out.

This is what the message has to compose of

A short subject to increase the ammount of code to run

A short bit of text in the body so that the code isn't treated as quoted text

And your code

My simple test was : Subject: a Body: asdfasdf<script>alert("asdF");</script>

Here is a screen: http://www.ipnow.org/vulnerability.png

This vulnerability could be used to gather email addresses. Or even possibly to compromise the account.

http://ph3rny.blogspot.com/2006/03/v...-in-gmail.html

Theo · 03-02-2006, 04:35 PM

crazy,after all this time nobody noticed such porblem?

GlydeGirl · 03-02-2006, 04:39 PM

Most 14-year olds have WAY too much time on their hands! LOL

nofx · 03-02-2006, 04:39 PM

heh 404

Account Suspended
The hosting account for this domain name has been suspended for 1 of 2 reasons.

1. Your bill is over due.

2. You account what causing a problem with the server and needed to be temporarily disabled.

xclusive · 03-02-2006, 04:41 PM

good catch by the kid

abadfish · 03-02-2006, 04:41 PM

"Account Suspended
The hosting account for this domain name has been suspended for 1 of 2 reasons.

1. Your bill is over due.

2. You account what causing a problem with the server and needed to be temporarily disabled."

Probably an "unlimited bandwidth" account...

Pipecrew · 03-02-2006, 04:43 PM

Quote:

Originally Posted by abadfish

"Account Suspended
The hosting account for this domain name has been suspended for 1 of 2 reasons.

1. Your bill is over due.

2. You account what causing a problem with the server and needed to be temporarily disabled."

Probably an "unlimited bandwidth" account...

Google has sent the blackhawk helicopters to his house and his host.

PixeLs · 03-02-2006, 06:47 PM

LOL, this somehow sounds funny.

SomeCreep · 03-02-2006, 06:49 PM

The following text I am about to post has already been posted in this thread, but I will post it again, because this would not be GFY, if I did not.

"
Account Suspended
The hosting account for this domain name has been suspended for 1 of 2 reasons.

1. Your bill is over due.

2. You account what causing a problem with the server and needed to be temporarily disabled.
"

hova · 03-02-2006, 06:51 PM

what a little smartass

sniperwolf · 03-02-2006, 08:02 PM

Quote:

Originally Posted by Pipecrew

Google has sent the blackhawk helicopters to his house and his host.

RayBonga · 03-03-2006, 12:49 AM

Quote:

Originally Posted by Pipecrew

Google has sent the blackhawk helicopters to his house and his host.

More likely they'll hire him.

Stacey_JoinRightNow · 03-03-2006, 01:09 AM

Quote:

Originally Posted by Soul_Rebel

crazy,after all this time nobody noticed such porblem?

yeah... kids are somehow good in experimenting things, trial and error...
very imaginative.

Shoehorn! · 03-03-2006, 01:23 AM

Quote:

Originally Posted by SomeCreep

The following text I am about to post has already been posted in this thread, but I will post it again, because this would not be GFY, if I did not.

Zarathustra · 03-03-2006, 01:27 AM

kids are smarter then adults because they lack paradigmic thinking that conforms them or limits their thinking. This essentially means that us adults have mainly been programmed to be sheep

_Lush_ · 03-03-2006, 01:36 AM

Google's responce:

In the interest of minimizing the impact that security vulnerabilities have on our end users, we highly encourage anyone who discovers a vulnerability in a Google product or service to follow responsible disclosure policies by contacting us first at security/at/google/dot/com .

More information is available at:
http://isc.sans.org/diary.php?storyid=1161

I guess google was a little mad about the public disclosure of this

Manowar · 03-03-2006, 02:00 AM

Quote:

Originally Posted by Pipecrew

Google has sent the blackhawk helicopters to his house and his host.

dtoolbox · 03-03-2006, 02:14 AM

dont post url's with unlimited hosting here. for sure your hosting will be suspended in no time

Nookster · 03-03-2006, 02:16 AM

That particular vuln has been known since gmail went live...about two years ago.

PussyTeenies · 03-03-2006, 02:40 AM

old and known "bug" (problem)

woj · 03-03-2006, 06:16 AM

Quote:

Originally Posted by Nookster

That particular vuln has been known since gmail went live...about two years ago.

gmail went live? I thought it's still in beta, heh

03-02-2006, 04:39 PM	#4
nofx Too lazy to set a custom title Join Date: Nov 2002 Location: Virgin Mary's womb Posts: 16,826	heh 404 Account Suspended The hosting account for this domain name has been suspended for 1 of 2 reasons. 1. Your bill is over due. 2. You account what causing a problem with the server and needed to be temporarily disabled. __________________ Often times I wonder why There's love and hate, theres live or die. When sickness comes I must decide: When feelings go, theres suicide.

03-02-2006, 04:41 PM	#5
xclusive Too lazy to set a custom title Join Date: Apr 2004 Location: Buffalo, NY Posts: 35,218	good catch by the kid __________________ I support MediumPimpin.com / Shemp's Outlawtgp.com /

03-02-2006, 04:41 PM	#6
abadfish Confirmed User Join Date: Jul 2003 Location: WA Posts: 1,482	"Account Suspended The hosting account for this domain name has been suspended for 1 of 2 reasons. 1. Your bill is over due. 2. You account what causing a problem with the server and needed to be temporarily disabled." Probably an "unlimited bandwidth" account... __________________ Reanna Mae

03-02-2006, 06:47 PM	#8
PixeLs Too lazy to set a custom title Join Date: Jul 2005 Posts: 11,922	LOL, this somehow sounds funny. __________________ Make money on any traffic. Bi-weekly payments with no hold.

03-02-2006, 06:49 PM	#9
SomeCreep :glugglug Join Date: Mar 2003 Location: Where the Wild Things Are Posts: 26,118	The following text I am about to post has already been posted in this thread, but I will post it again, because this would not be GFY, if I did not. " Account Suspended The hosting account for this domain name has been suspended for 1 of 2 reasons. 1. Your bill is over due. 2. You account what causing a problem with the server and needed to be temporarily disabled. " __________________ Webair Hosting I use and recommend Webair for hosting.

03-02-2006, 04:35 PM	#2
Theo HAL 9000 Industry Role: Join Date: May 2001 Posts: 34,515	crazy,after all this time nobody noticed such porblem?

03-02-2006, 04:39 PM	#3
GlydeGirl Confirmed User Industry Role: Join Date: Feb 2005 Posts: 1,516	Most 14-year olds have WAY too much time on their hands! LOL

03-02-2006, 06:51 PM	#10
hova Traffillionaire Industry Role: Join Date: Jan 2002 Location: ICQ:209371571 Posts: 22,430	what a little smartass __________________ http://traffillions.com/ Sign up and get lifetime revshare on your traffic

03-03-2006, 01:27 AM	#15
Zarathustra Confirmed User Join Date: Oct 2005 Posts: 1,094	kids are smarter then adults because they lack paradigmic thinking that conforms them or limits their thinking. This essentially means that us adults have mainly been programmed to be sheep

03-03-2006, 01:36 AM	#16
_Lush_ Confirmed User Industry Role: Join Date: Jul 2005 Location: GDL Jal. Posts: 536	Google's responce: In the interest of minimizing the impact that security vulnerabilities have on our end users, we highly encourage anyone who discovers a vulnerability in a Google product or service to follow responsible disclosure policies by contacting us first at security/at/google/dot/com . More information is available at: http://isc.sans.org/diary.php?storyid=1161 I guess google was a little mad about the public disclosure of this __________________ IcQ 50611033

03-03-2006, 02:14 AM	#18
dtoolbox Confirmed User Industry Role: Join Date: Nov 2004 Location: Singapore Posts: 507	dont post url's with unlimited hosting here. for sure your hosting will be suspended in no time __________________ ICQ310514967

03-03-2006, 02:16 AM	#19
Nookster Confirmed IT Professional Industry Role: Join Date: Nov 2005 Location: Hollywood, CA Posts: 3,744	That particular vuln has been known since gmail went live...about two years ago. __________________ The Best Affiliate Software, Ever.

03-03-2006, 02:40 AM	#20
PussyTeenies Confirmed User Join Date: Feb 2005 Location: Haarlem and Amsterdam, capital of the porn world ;-) Posts: 6,496	old and known "bug" (problem) __________________ Need adult hosting? Contact us! WARM Hosting Need an IT solution? or someone to check your site and security? Nossie - IT Professional