Stored XSS in Google connected Apps EML, MHT Viewer with Drive

This is the story about a live bug that is still there with Google connected App EML, MHT Viewer with Drive. The motive for this blog is to make people aware and avoid using the above mentioned Google connected App.

The above app will be suggested if you open eml file over the drive.

suggested apps for eml file

Steps to reproduce

1. Generate the eml file(test.eml) with malicious XSS payloads.

test.eml code

2. Upload the file to drive and authorize with your google account and open it with mhtviewer.booogle.net

test.eml uploaded on drive

3. Observe that the malicious JS is executed.

confirm(document.domain)

confirm(document.cookie)

Attack scenario

Cross Site Scripting (XSS) on the website also hurts the reputation of the organization as it is possible to tamper with the content of the webpage being shown to the users.
Due to its persistent nature, this vulnerability can affect a large number of users. An attacker will be able to easily compromise a bulk of users instead of targeting individual users. In this scenario, an attacker can send malicious email as attachment (eml) file to different users and the victim will open with the suggested vulnerable app and then let the victim to perform the malicious activity on his behalf.

Google Explanation

Google Reply

This is the reply from Google which is valid. I tried to contact the 3rd party App owner but hard luck. Please share this with others to refrain them from using this app. Suggestions are welcome.

Peace out!