Background
I recently discovered a cross-site scripting through Flash issue in Gmail. Not only did it expose Gmail users to full account hijacking, but it also exposed corporate users that rely on Gmail through the Google Apps initiative.
Technical Details
Gmail uses a Flash movie, named uploaderapi2.swf, for file upload operations. A short investigation revealed that it used two user-input parameters (‘apiInit’ and ‘apiId’) as parameters to ExternalInterface.call(), a class that is used for interaction between Actionscript and the flash player container (a hosting HTML page in the case of browsers).
var flashParams:* = LoaderInfo(this.root.loaderInfo).parameters;
API_ID = "apiId" in flashParams ? (String(flashParams.apiId)) : ("");
API_INIT = "apiInit" in flashParams ? (String(flashParams.apiInit)) :
("onUploaderApiReady");
.
..
...
if (ExternalInterface.available) {
ExternalInterface.call(API_INIT, API_ID);
}
A snippet from uploaderapi2.swf
As can be seen in the screenshot below, before Google patched the aforementioned flaw, loading the following link popped-up an alert message with the cookies that are associated with Gmail’s domain:
https://mail.google.com/mail/uploader/uploaderapi2.swf?apiInit=eval&apiId=alert(document.cookie).
Gmail script injection screenshot
Transparent Attack
As presented in Stefano Di Paola’s famous presentation, one of the interesting characteristics of Flash attacks is the ability to mount transparent attacks in browsers such as Firefox and Google Chrome. Due to the fact that Flash is executed in the client-side, the malicious payload (in this case, the values of apiInit and apiId) can be hidden from the server by adding the ‘#’ sign before the query part of the URL: https://mail.google.com/mail/uploader/uploaderapi2.swf#?apiInit=eval&apiId=alert(document.cookie).
That way, the attacked browser sends a parameter-less request for https://mail.google.com/mail/uploader/uploaderapi2.swf (uploaderapi2.swf is loaded by Gmail with no parameters by default) – this request is therefore regarded by the server as standard and not alarming in any way. However, a successful exploitation is possible since the Flash player refers to the whole URL, including the attack payload, which comes after the ‘#’ sign.
Remediation
The first parameter that is passed to ExternalInterface.call() determines the JavaScript function name to be executed. This parameter (API_INIT) has been updated to contain a hardcoded value (‘onUploaderApiReady’) and does not rely on external user-input any more.
Acknowledgments
I would like to thank the Google security team for their quick responses and the efficient way in which they handled this security issue.
Doesn't works with my Chrome but i will forward it to someone at Google that can maybe forward this to the Gmail Team. Thanks for finding it.
Posted by: Nils Hitze | March 23, 2010 at 05:40 PM
Hello Nils,
In order to refrain from putting Gmail users under risk, this issue has been responsibly disclosed to Google. Therefore, this write-up was published only after the aforementioned security hole was fixed.
Posted by: Yair Amit | March 23, 2010 at 06:32 PM
hi YairAmit
nice work!
this hole was fied now,can share the old version of
'uploaderapi2.swf' to me?
thank u
my gmail:5up3rh3i@gmail.com
Posted by: 5up3rh3i@gmail.com | March 24, 2010 at 09:26 AM
it is a nice case.
my gtalk:evilcos#gmail.com
can u share the unfixed .swf file to me? thx:)
Posted by: cosine | March 24, 2010 at 09:46 AM
Hi Yair Amit,
It's amazing ! I wonder how many mail, or other, Services has a similar problem...
Good luck,
BigMc.
Posted by: BigMc | March 24, 2010 at 12:11 PM
Hi Yair,
very nice finding and writeup!
It seems that this category of bugs is going to be more and more discovered.
Thanks for the reference, too! :)
Stefano
Posted by: Stefano | March 25, 2010 at 09:00 AM
@All, thanks for the feedback! :)
@Stefano, I agree that discoveries of this category of bugs will become more common, as the awareness to them rises.
However, after taking a look at some of the security changes that were applied by Adobe in ActionScript 3 (such as blocking the ability to implicitly use global parameters, a common programming error in AS2), it seems that they are in the right direction. :)
Posted by: Yair Amit | March 29, 2010 at 11:10 AM