A new bug has been discovered: a “distorted” message shuts down the most famous webmail in the world.
We Are Segment is back again!
This Cybersec company, part of the Interlogica group, hit the headlines last month due to the discovery of the CEO: Tormoil. A new disclosure is ready to be spread.
Roberto Bindi, a young hacker working for the company discovered that Google’s mail shuts down when receiving specific types of messages, impeding the user from accessing his/her email address. The test was born out of curiosity.
Roberto wanted to see what would have happened if a Zalgo text was injected into a web browser. To clarify, a Zalgo text is a type of text composed of characters and metacharacters (letters, numbers and other symbols) which extend sideways – above and under – the original text, thanks to the effect produced by the standard Unicode combiners.
The first experiment gave positive results. The insertion of a Zalgo text (which can also be generated by web applications) with many metacharacters (more than 1.000.000) resulted in a browser crash, namely, the web browser shut down for a few minutes.
Despite the already interesting results, Roberto Bindi didn’t stop there. As a matter of fact, he decided to send a Zalgo text via Gmail again, expecting another browser crash. Unfortunately he couldn’t even imagine what kind of results this test would reveal. What he managed to discover surpassed his imagination: it wasn’t the browser crashing; instead, it was Gmail itself.
The email is effectively received by the addressee, but the person receiving it cannot open it and, after just a few moments, Gmail shuts down showing the “Error 500” message – which entails an internal server failure due to unspecified reasons, like an irreversible code error.
The young researcher managed to find a technical artifice to bypass the block and reactivate the email account, in order to repeat the experiment and verify the duration of the Gmail shutdown. The results? 4 entire days of account shut down.
Since this discovery, Roberto decided to contact the Google’s team on the 23rd of November. After a few weeks, the team communicated that they had begun working on the issue.
“After discovering that by sending a series of special characters the Google’s mail system stopped working, I started worrying about the possible consequences and damages that this vulnerability might have caused when publicized. An ill-intentioned person might have blocked email accounts like “[email protected]…” or other work emails, by sending a simple email.
That’s why my company decided to publish this piece of information only after the issue had been solved by Google. Our choice was based on ethics and it mirrors our company’s ethics code, underlining how WeAreSegment is formed by ethical hackers” – says Roberto Bindi, researcher for We Are Segment.
“This Gmail vulnerability discovered by our researcher Roberto Bindi makes us proud to work with skilled and well-prepared team members. In addition, this demonstrates how research is one of most important aspects in our work. Thanks to this activity, we can directly contribute to the Cyber Security improvement worldwide” – says Filippo Cavallarin, We Are Segment CEO.