Is e-mail a direct vector for XSS

Yes, this is a very serious concern when it comes to reading your email via a web browser. In fact gmail has had this happen a few different ways. In a broader sense, XSS within an email could be used to spread an email based worm. The XSS payload has access to your list of contacts and the also the ability to send email as you. This is similar to the Sammy XSS Worm.

When it comes to a client like, Outlook or Thunderbird this really isn't much of a concern because the context in which the script executes is mostly useless to the attacker. Although this type of vulnerability has happened and this type of XSS could be useful for delivering a client-side exploit such as a html or javascript based buffer overflow. The pairing of XSS in thunderbird with a buffer overflow would lead to a very nasty email worm.


The answer to your question is "Yes", but you're asking it wrong. Nowadays XSS via email is only really relevant when reading an email with a web browser. Modern mail clients no longer parse scripts by default.

The mail service in which you're reading the email (as the target/victim) would need to have an available XSS injection point for an attacker to take advantage. This has been seen before in more than a couple services, but is still easily and quickly fixed, so the problem is rare.

You mentioned that the email was coming from @example.com, but that is of no concern to any possible attack. In the past I've primarily seen the issue arise when the mail service improperly filters mail headers or user info that then allows code injection.

And to address the last part of your question: Your code will be executing under the domain of the mail service it's being run under. It would only be able to execute under example.com if you also found a XSS vuln in example.com and were able to call that from the mail service XSS injection.

Tags:

Email

Xss