An unofficial blog that watches Google's attempts to move your operating system online since 2005. Not affiliated with Google.

Send your tips to

March 1, 2006

GMail vulnerability: GMail runs javascript in body

A great discovery from

If you send a mail to GMail from a different service (like Yahoo Mail) and include javascript in your body, GMail executes it.

A sample:

Subject: a
Body: asdfasdf<script>alert("asdF");</script>

I tried using document.location='' and it works, GMail homepage automatically redirects to CNN. It's funny that you can't come back to GMail unless you disable Javascript, go to and delete the mail.

Nice discussion at Digg.

Update: it's fixed.

This blog is not affiliated with Google.