###################################### Gmail Checker plus Chrome extension XSS extension: https://chrome.google.com/extensions/detail/mihcahmgecmbnbcchbopgniflfhgnkff advisore:http://lostmon.blogspot.com/2010/06/gmail-checker-plus-chrome-extension-xss.html Exploit available:yes ####################################### So in this case "Google Mail Checker Plus" version 1.1.7 (2010-02-10) has a flaw that allow attackers to make XSS style attacks. All extensions runs over his origin and no have way to altered data from extension or get sensitive data like , email account or password etc.. if we look how many users have instaled this extension => https://chrome.google.com/extensions/detail/gffjhibehnempbkeheiccaincokdjbfe 303,711 users have instaled it (WoW) ############ explanation ############ Google Mail Checker Plus allows users to view wen they have a new mail and view a preview of the mail .... if a attacker compose a new mail with html or javascript code in subject form field and send it to victim´s the code is executed wen Victim´s click in the extension to view the mail and wen victim´s accept the alert and view a preview of mail the iframe is executed too. Gmail is a safe place , but the extension to manage it can be a potential vector to attack it. For example send a email With a logout acction in gmail in subject ">