Google has fixed this ‘awesome’ bug in Gmail

Tech giant Google has released a fix for Gmail that made its users vulnerable to hacks and phishing. Called the XSS or cross-site scripting, the security flaw impacted the ‘dynamic email’ feature of the Gmail. The bug was first reported via Google Vulnerability Reward Program in August this year.
Dynamic email or the AMP4Email is a new feature of Gmail that makes it possible for emails to include dynamic HTML content. The feature allows one to “take action directly from within the message itself like RSVP to an event, fill out a questionnaire, browse a catalog or respond to a comment.” The feature, however raises security questions related to cross-site scripting.
“If we’re allowing dynamic content in emails, does that mean that we can easily inject arbitrary JavaScript code?”asked Michał Bentkowski, Chief Security Researcher at Securitum in a blog post recently. He says that although some tags and attributes in AMP4Email are whitelisted, “id attribute is not disallowed in tags”.