Gmail for iOSRoy Castillo, a security researcher from the Philippines, identified a cross-site scripting (XSS) vulnerability in the Gmail application for iOS. The vulnerability was found in the mail attachment feature and needed no user interaction to be triggered.

In a post on his blog, Roy Castillo explains how he managed to exploit this vulnerability. After logging in to Google Analytics, he created an account with the below name.

<img src=x onerror=alert(0)>

Since Roy Castillo is a white hat hacker, the payload that he injected was not a malicious one but only one that could demonstrate the vulnerability.

After creating this account, he noted that sending an email to the victim’s email address with a Google Analytics report as an attachment resulted in the blind cross-site scripting payload to be stored in a persistent state. Therefore, when the victim accesses his Gmail application on iOS and opens the received email, the payload would be executed. This was possible as the “filename of the attachment was not escaped correctly”.

In this case the payload that was executed was an alert box with a value of ‘0’. This can be seen below along with a screenshot of the email Castillo sent from Google Analytics. Obviously, malicious hackers are generally more creative when exploiting such vulnerabilities.

The email sent by Castillo from Google Analytics

The email sent by Castillo from Google Analytics

The exploited Blind XSS Vulnerability

The exploited Blind XSS Vulnerability

Credit should also be given to the swift action of the Google Security Team who once again gave security the priority it demands and solved the issue within two days of Castillo reporting the vulnerability.

This vulnerability can be categorized as blind cross-site scripting since the payload was injected in one web application, and executed from another.

Blind cross-site scripting is a form of persistent (or stored) cross-site scripting that enables an attacker to deploy a malicious payload on a web application that, in turn, stores the payload to a persistent state, such as a database. The payload is then pulled out of storage, rendered on a page in the web application that was loaded by the user, and executed. It is important to note that blind cross-site scripting differs from most cross-site scripting as the attacker wouldn’t generally be aware of where the payload is being stored or if it is ever going to be executed.

To prevent this type of vulnerability from being exploited, any user input in a web application needs to be sanitized. In addition, when showing data to users, the data should ideally go through another sanitization cycle.

Acunetix can help to detect Blind XSS vulnerabilities through its AcuMonitor service. Script payloads are injected into the web application being tested by Acunetix. If one of the scripts is executed from another web application, the AcuMonitor service will send a notification with details of the vulnerability.


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.