Castillo is the same security researcher who found a “primary email address disclosure” in Facebook which later rewarded him of $4,500. He also revealed to me personally, he has found another email disclosure in Facebook but until now, a bit unusual, Facebook is still not replying since October 2.
Good to know, according to him, it just consumed 30 minutes of his time to find the bug.
Currently, there is no technical details provided by Castillo for the bug is not yet fixed, we will just update this post. 🙂
Technical details of the security flaw as provided by Castillo’s blog:
4. Send an email to the victim GMail address.
5.Open your GMail for iOS
6. Open the received email.
7. Successful execution.
According to the Pinoy security researcher, filename of the attachment was not escaped correctly and I was able to get the Stored XSS triggered. By using the generated report from Google Analytics I could inject script code that was executed on mail.google.com.
The XSS bug is already fixed.