Gmail vulnerability leads to remote javascript execution

By | March 1, 2006

A recently discovered vulnerability in Google Gmail allows automatic javascript execution when using the preview function. While Google filters javascript sent among Gmail accounts, e-mail from outside accounts such as Yahoo! are not filtered. Normally Gmail would quote the javascript code, however if one includes a short amount of text in the subject and body of the message, then Gmail instead executes the code.

Gmail´s about page says: “We take the security of our users very seriously. In addition to virus protection that automatically scans your attachments and tries to remove any viruses found in them, Gmail also doesn´t send or receive any executable files since most computer viruses are contained in executable files.”Read Full Story

Leave a Reply