NEWS

ZalGDOS – Zalgo Gmail DOS

By | 2018-01-25T09:44:47+00:00 11 January 2018|

For a browser, the act of rendering an UTF8 combination of multiple (meta-)characters it’s hard.

As a fact, trying to display a text with 10k or more metacharacters (such as a big Zalgo text) will almost always result in a global slow-down of the current page rendering, which slows down even the most basic operations (scrolling, zooming etc), and  even leads to unresponsiveness and page crash.

Keeping that in mind, I tried to generate a huge UTF8 combination of characters, hoping to produce a “browser DOS character”, just for fun.

In order to achieve that result, I started writing a simple Python script that sends a combination of multiple metacharacters (1024^2 == 1MB) to my email, but something I may not have anticipated occurred:

 

GMail just died.

As a fact GMail crashed with an Error 500 (Internal Server Error) followed by an Error 502 (Bad Gateway). Therefore I could not reach my email even from the GMail APP on my smartphone.

I was able to remove the email using a script written in the Google Apps Script language, that I used to employ to get rid of old automatic Emails in my inbox 

Even though I had deleted the email I could not still login into my GMail account for more than 1 hour.

That’s why I decided to cause more damage: I created a single-300KB-char and used it in the subject, object (HTML) and object (text) fields of the mail.

In order to reach that goal, I used the UTF8 char #857 “͙ ” that has a nice “stacking” characteristic: a viewer tends to think to it as a single character but actually multiple characters are printed one on top of the other.

Sending the email with that character has made a test email folder unreachable (error 500) for 4 days!

The bug was promptly reported to the Google Security team who had managed to deploy the fix in a couple of weeks.

This allowed me to gain access to the Google Vulnerability Hall Of Fame.


Here you can find ZalGDOS.py , the script I used to test the vulnerability.

More infos and full story

BACK TO NEWS