Home / Info Sec / Google rewards $5,000 for a stored XSS in Gmail for iOS – (Updated)

Google rewards $5,000 for a stored XSS in Gmail for iOS – (Updated)

Google Inc. is rewarding $5,000 to Roy Castillo a Pinoy security researcher, for his find of a stored XSS bug in Gmail for iOS.

Castillo is the same security researcher who found a “primary email address disclosure” in Facebook which later rewarded him of $4,500. He also revealed to me personally, he has found another email disclosure in Facebook but until now, a bit unusual, Facebook is still not replying since October 2.

Related News : Pinoy security researcher finds another primary email disclosure in Facebook, receives $4,500.

Good to know, according to him, it just consumed 30 minutes of his time to find the bug.

Currently, there is no technical details provided by Castillo for the bug is not yet fixed, we will just update this post. 🙂


Technical details of the security flaw as provided by Castillo’s blog:

1. Login to Google Analytics
2. Create an account and name it <img src=x onerror=alert(0)>
3. Go to Reporting -> Real Time -> Overview -> Email

4. Send an email to the victim GMail address.

5.Open your GMail for iOS
6. Open the received email.
7. Successful execution.

According to the Pinoy security researcher, filename of the attachment was not escaped correctly and I was able to get the Stored XSS triggered. By using the generated report from Google Analytics I could inject script code that was executed on mail.google.com.

The XSS bug is already fixed.

About Clifford Trigo

Hi there! I am Clifford Trigo from the island of Bohol, come over here and lets have fun! :3 Just keep reading :D