Gmail is one of the most popular email services. Its free version provides one of the best free email services you can find. Google also offers many unique and useful features you can find on other email services. One of them is the dynamic email feature. It’s also known as AMP4Email.

AMP4Email can be considered the newest feature from Google for its Gmail service. This feature allows you to add dynamic HTML content in your email. With this capability, you can do many things. For example, the message you send will activate a command that the recipient can use. So, if you use this feature to create a message to spread a specific event, like a questionnaire, or let the recipient access a catalog, you can do it beautifully with its dynamic feature.

However, the Google Vulnerability Reward Program found something worrying about this new feature. They expose the serious problem and bug that occur in this feature back in August this year. This feature is prone to a hacking attack that utilizes the dynamic ability and its ability to include HTML content in the email. The hacker and phisher can easily use the XSS or cross-site scripting method to inject a link that will start the attack through the AMP4Email feature.

According to Michał Bentkowski, Chief Security Researcher, via the blog post at Securitum, by allowing the access to include dynamic content in email, anyone can easily attach the JavaScript code in it. And, that could be dangerous. This condition doesn’t only work for the dangerous link. People also can add tags and attributes that are safe and even whitelisted by AMP4Email. Yet, it still posts some threat.

This feature doesn’t allow adding id attribute in the tags. This is another problem you must face. People can use this user-controlled id attribute to create HTML elements that they can use for the DOM Clobbering attack.

Why it can be used for DOM Clobbering? He explained that when you want to create an element in HTML, which that element will be referenced to specific JavaScript, you can use two function lines. They are the “document.getElementById(‘username’)” and “document.querySelector(‘#username’)” command lines. This is the standard method to create the HTML element that referenced to JavaScript. However, you also can use other methods.

The other methods you can use are the global window object property. You can use this part to create the access that you want. The attacker uses the “window.username” command line to create similar effect like when you use “document.getElementById(‘username’)”. In short, AMP4Email provides a much easier method to create the elements that the attacker can use to inject the code in the email.

With that easier method to inject the code, this feature can become many problems in the future. And, it increases the risk of DOM Clobbering. DOM Clobbering itself is a legacy feature you can find on many web browsers. Moreover, this is also the source of many problems that can happen on many applications you use to access that web browser or integrated with it.

The researchers also found out how AMP4Email can cause a problem. They test it by using their id attributes to the HTML elements. Then, when you open the email that loads the JavaScript file the sender send to you using this new feature, it adds the specific URL in it. This URL is then described as the “undefined” link. When it happens, it is proved that DOM Clobbering occurs.

This condition is common in the DOM Clobbering. It happens because the expected property that was originally added to the loaded JavaScript is missing. Therefore, the URL turns into an undefined URL link. When this condition occurs, it can affect the performance of the web browser you use to open the message. Furthermore, it also can affect the application and other parts of your device software.

It doesn’t seem dangerous when you see it at glance. The problem also can be solved by repairing the HTML elements in it. However, this condition also is proved that the script code in the email can be activated through the AMP4Email feature. So, if you want, you can tweak the code and attributes for this kind of email. With this wide-opened path to enter others’ systems, the attacker can easily inject malicious code that can damage and cause a bigger problem.

Regarding this problem, Google has finally released the patch to repair the problem caused by their new feature. This new patch will solve the DOM Clobbering problem and risk of the injection of unwanted script code using the AMP4Email feature

Leave a comment