Google has just fixed a security issue found in one of the key features of Gmail. The issue which was named as “AMP4Email” makes the email dynamic by popping the actionable content pop-up inside the inbox.
Chief Security Officer at Securitium, Michal Bentkowski explains the process, “AMP4Email makes it possible for users to take action directly”. It is also known as dynamic mail which makes possible for the users to include dynamic HTML content in their emails.
Michal Bentkowski reported that the AMP4Email burdened the DOM clobbering when he was trying out bypass this issue. He said, “I noticed that ‘id attribute’ is not disallowed in tags”.
He tried to bypass the security issue but unfortunately he was unable to do so, called it an interesting challenge and hoped that someone else will find a way to bypass this issue.
He reported the bug back in August 15 to which Google responded, “The bug is awesome, thanks for reporting. Google reported to Bentkowski on October 12 saying, “The issue had been resolved”