Wednesday, June 27, 2012

Google Mail Hacking - Gmail Stored XSS - 2012!

Gmail Accounts Hacking Risk 2012! 

Millions of users use Gmail as their information center to perform actions such as Business, Chat, Place Orders, Payment confirmation, main password recovery mail for different web services and so on...
many people - including myself use Gmail to store and save important and personal data, none of us want our data to be at risk of steal, manipulation, and obviously not considering the Gmail account being completely hacked!
I found a possibility to do all that!

Fortunate enough for us, Google is taking a lot of efforts securing their services. mostly by doing a great job, which integrates supporting a vulnerability reward program.

I made a quick research and reported this vulnerability along with all the related details. 
I must say Google's response was very quick and so as their fix. (it is Fixed)

as it appears here :Vulnerability Reward Program even after the bounty raise:
Google's Reward for this bug: $1337 (
PoC Picture:

Technical Details: 

I am quite busy at work and personal life at these days so I placed a side the reward programs of Google, Facebook And others.

I was just checking my mail the other day and I noticed something different.
Google made this nice change in Gmail , apparently around December 2011 - Google Adds circles to Gmail 
"Users can now Filter their Mails based on their Circles"

Trusting your Google+ Friends?

When I clicked this Gmail Circles feature, I saw my Google+ connections: profile pictures, nicknames and some other circles related data 
Do they Control this data?! - Yes!
I had to spend some time back in the business, Gmail Stored XSS is a serious finding!

So I imminently researched that feature's JavaScript code.
It appeared that data that comes from Google+ was not sanitized by Gmail!

    zk.prototype.Ca = function $pn(a, c, d) {
        this.xa = 0;
        if (!this.ea) {
            var e = this.Bb.zb().body, g =;
            e.wa = h
        a: {
            if (d)
                switch (d.toLowerCase().split(",")[1]) {
                    case "l":
                        break a;
                    case "r":
                        break a
            e = 2
        this.wa.setPosition(cka(d), e, i, -1);
        jc(, "T-ays-avH");
        ud(, 0, 0);
        this.ea.Mc().innerHTML = c; //c = Data from Google+;
        this.wa.Me(k, 0)

This Gmail Code was creating a Tool-tip that Included profile circles information that comes from your Google Plus friend's account, if they used a payload, your mail account would have been at a serious risk.

Exploiting the Vulnerability - malicious Google+ Account.

As First it is important to note that Anyone that already got accepted as your friend in Google+ could trigger this attack on your Gmail account!

So all that is left is crafting a very nice Google+ account with some attractive profile, then after this evil account gets many friends/victims - Attack em all!

Google+ was and still is blocking the possibility of using a payload in the required field that was used to trigger this attack, but I found a way around it, sorry but I cannot reveal how I did that. (I am sure some of you pros might know how).

After I used my technique and crafted the Google+ evil profile it was possible to attack Gmail of all of that profile's friends! 

PoC Picture: 

As always I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.

"Ben Hayak" - Google Security Hall of Fame Page


  1. Your post is meaningless and pointless, except to brag. You've provided no proof and refuse to publish your work. This is not how disclosure is meant to work. If Google has "fixed" the issue as you suggest, your workaround used to bypass their filters can be disclosed.

    Your hacking is bad, and you should feel bad.

  2. Satish b, Thank you.

    first of all,
    there is a proof which is a screen shot with date & most important, the vulnerable code is in here in javascript, the fact that you cannot read javascript good enough to see it's vulnerable is your own problem.
    second of all I respect Google Security team and never said they fixed my bypass or methods(up to the day this was posted or maybe up to today), I only confirmed they fixed the XSS, so stop crying and deal with it.

    I don't think you would have posted as Anonymous if you were in any position to criticize my work, I think you are the one that feels bad jealously?. ;)

  3. Very nice find. Stored XSS vulnerabilities are particularly nasty and given that this one works via a trust relationship, it was even more likely to be a successful attack vector.

  4. its cool dude.
    found a permanent xss accidentally,you are full of luck,more,its on google! :D

  5. Nice find!
    That's the kind of flaw that deserve more than $1337. Google should have paid more for this one.

  6. Thank you Mario, I do agree,
    but, I did enjoy posting about it.
    and this article of course:

  7. This comment has been removed by a blog administrator.

  8. Nice :) I just found me to a XSS but non-persistent in :) and i just got 1.337 $ xD

    If you want a picture you can tell me :) Thanks

    I'm on hall of fame !


    1. I forgot something ... i just found XSS in [subdomain] ... if i will report it will give me something ? thanks again !

  9. Thanks a lot on this great information and ideas..

  10. This comment has been removed by a blog administrator.

  11. I got a confirmation mail from google . But My name is yet to be updated any idea when it would be done

    1. Spamming Tools :

      1:Smtp : 3$ for ip (4$ for Domain)
      2:Shell : 2$ per one
      3:Cpanel : 3$ per one
      4:Scam page 30$ for simple (60$ for undetectable)
      5:RDP : 15$ any country
      6:PHP mailer : 3$ per one

      Carding Tools :

      RDP: 15$ any country
      HMA: 25$ unlimited 12 month
      Vip72: 25$ unlimited 6 month
      card validator : 50$ (for fixing un-valide card number and bin checker)
      wu Java bypass Script ,(by pass any page with your giving commands)


      Credit cards :
      random : 25$ per one
      fullz : 35$ per one (with Dob + SSN + MMN + Driving license + )


      zeus : 250$ (with fud crypted jpeg,pdf or doc file)
      key loger : 150$ (for email,pm and btc logs)
      ninja Rat : 130$ (with fud crypted jpeg,pdf or doc file)
      cidital : 150$ (with fud crypted jpeg,pdf or doc file)


      private Scanner
      smtp scanner : 350$ (linux bassed) (ssh/root required for run )
      rdp scnnaer : 400$ (linux bassed) (ssh/root required for run)
      Smtp+rdp multi scanner : 600$ (linux bassed) (ssh/root required for run)
      cpanel scanner : 500$ (linux bassed) (ssh/root + 10 cpanel or shell required for run)
      root scanner : 800$ (linux bassed) (ssh/root required for run)

      Contact me:
      skype : alfaz999
      yahoo IMI :
      Hang out :

  12. As a Gmail User I really think I will switch to outlook at some point in near future.
    Gmail Account Support

  13. Too Stressed ??
    Money can bring the "Peace" in your "soul"!!
    Your life can 'Recover'!!
    Get this 100% free method, Which will earn money for you by using PayPal Hack tool and earn UP TO 500$ ADDING EVERY 5 HOURS.TOTALLY UNTRACEABLE!!!!!!!!!!!!!!!!!!!!!!
    So Download the Tool......
    Paypal Account Hack
    Paypal Money Adder
    Paypal Money Generate
    Paypal Money Hack

  14. Search for Gmail Support Phone Number Nz +64-9-280-6235, call us at toll free number our team will assist you to password reset, login problem etc.

  15. MATRIX 147 is a group with an experienced hackers. My team & I can hack any EMAIL ID.

    (Yahoo,gmx, Gmail, Hotmail, Rocketmail, Sina, Facebook, Instagram,AOl, Outlook etc),irrespective of the reason,ie monitoring cheating spouses, protecting a family member, get you compromised account back, delete a mail you don t want the target to get, payback or whatever personal or non-personal reason you may have for a reasonable fee.

    Send us a mail matrixhackka007 (@) gmail com +1(312) 205-9259

    We try to reply every client ASAP & execute the project in the quickest time-frame