Gmail Checker Plus Chrome Extension Cross Site Scripting / Cross Site Request Forgery

`######################################  
Gmail Checker plus Chrome extension XSS/CSRF II  
extension: https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe  
advisore:http://lostmon.blogspot.com/2010/06/gmail-checker-plus-chrome-extension.html  
Exploit available:yes vendor notify: NO  
#######################################  
  
So in this case "Google Mail Checker Plus" version 1.1.7 (2010-02-10)  
has a flaw that allow attackers to make XSS style attacks.  
  
All extensions runs over his origin and no have way to altered data  
from extension  
or get sensitive data like , email account or password etc..  
  
if we look how many users have instaled this extension =>  
https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe  
303,711 users have instaled it (WoW)  
  
############  
explanation  
############  
  
Google Mail Checker Plus allows users to view wen they have a new mail and  
view a preview of the mail ....  
  
If a attacker compose a new mail with html or javascript code in mail  
body & send it to victim´s the code is executed wen Victim´s click in the  
extension to view a preview of mail.  
  
So for exploit we need to compose a "special" mail  
for example if we put directly in the mail body a iframe like  
"><iframe src="javascript:alert(location.href);"></iframe>  
the extension shows this code in plain text and the alert isn´t executed...  
them we need to use a Feature from gmail ( auto conver links in clicable urls)  
them we can compose a email body with a http link like  
http://"><iframe src="javascript:alert(location.href);"></iframe>  
or compose a mail link like :  
lalala@"><iframe src="javascript:alert(location.href);"></iframe>.com  
in the two cases the alert is executed wen try to preview the email  
with the extension :) it is executed in context location.href value is  
"about:blank"  
  
  
Gmail is a safe place , but the extensions to manage it, can be a potential  
vector to attack.  
  
For example send a email With a logout acction in gmail in body  
http://"><iframe src="https://mail.google.com/mail/?logout&hl=es"></iframe>  
it closes the sesion on gmail , this is a CSRF.  
So we have dispute it in  
http://code.google.com/p/chromium/issues/detail?id=45401  
The developer has release a patch version in trunk for other issues  
what i disclose before  
see for references for previous vulns => OSVDB ID :65459 and OSVDB ID: 65460  
previous patch =>  
http://github.com/AndersSahlin/MailCheckerPlus/blob/54ab118e505feae819e676c8e525e8fe5409c981/src/mailaccount.class.js  
and see diff =>  
http://github.com/AndersSahlin/MailCheckerPlus/commit/54ab118e505feae819e676c8e525e8fe5409c981#diff-0  
  
I release it as 0-day and no notify to vendor because  
in the previous issues , he patch the vulns and don´t  
make any reference to it and stealing credits on discover  
Them i release this new vulns without notify developer :)  
  
  
  
######################€nd#################################  
.  
  
Thnx for your time !!!  
  
  
--   
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
`