Gmail XSS vulnerability through Content Sniffing

Hi all,

a few months before i found this vulnerability which was reported to google and patched (Basically my way to google hall of fame).


Product: Gmail.com
Setup: Windows XP SP3 with IE 7.0 (Google Chrome frame installed)
Vulnerability: XSS possible using malicious Image as attachment(works for IE6/7)

Introduction:
The vulnerability was in www.gmail.com which can be used to send Emails. We can send images as attachments to any user. By creating malicious image file and attaching it to mail attacker can exploit this vulnerability which can lead to complete compromise of account by stealing mail receiver cookies.
Gmail was not validating contents of uploaded image files which can lead to XSS by including java scripts in image files. Following are screen shots which demonstrates complete attack vector.










basically firstly this attack was limited for IE 6/7 but after some research i was able to bypass the IE8/9/10 protection which we presented in NullCon 2012. detail paper for same will be published soon here on g4h.