Coffeehouse Thread

5 posts

gmail woes

Back to Forum: Coffeehouse
  • User profile image
    androidi

    I've never seen this before but I just noticed when opening an email message in gmail that I had already read previously that it didn't open the message and IE8 status bar displayed that was trying to load an image from gmail host just when it hung, the HDD was quite active while IE was frozen up to terminating it (Ideally I'd have suspended it but there's no easy way to suspend just the frozen IE without going to look it up in the task manager while it might be doing bad things, when IE hangs I just terminate immediately as it could be some attack trying to escape the browser given some time). I had to terminate the process and then when I went back to gmail to load the same message it loaded just fine and I noticed there was an image on the right side -

    Is Google allowing 3rd party bitmaps in their advertisements but hosting them on the gmail server?

    I could speculate that it was perhaps some 0day attack from a 3rd party bitmap data hosted by gmail, but I opt not to speculate such things, so lets leave that theory at that.

     

  • User profile image
    evildictait​or

    The bitmaps in adverts in gmail are data URIs. Other images are served from https://mail.google.com/mail/images/ or from https://mail-attachment.googleusercontent.com/.

    Also 3rd party hosted bitmaps can't 0-day a website (although including facebook mashup scripts can).

  • User profile image
    blowdart

    , evildictait​or wrote

    Also 3rd party hosted bitmaps can't 0-day a website (although including facebook mashup scripts can).

    *giggle* You sure? Because I'm not. We've had GIF images that are Java JARs before.

  • User profile image
    evildictait​or

    , blowdart wrote

    *snip*

    *giggle* You sure? Because I'm not. We've had GIF images that are Java JARs before.

    If your browser runs the jar file when you <img src=""> it from a third party domain, then you need to get a new browser :/

  • User profile image
    PopeDai

     

    Also 3rd party hosted bitmaps can't 0-day a website

    There was also the JPEG handling vulnerability in GDI a few years ago.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.