How did it work?
The commit that patched the vulnerability can be seen at http://code.google.com/p/jaikuengine/source/detail?r=157.
Jaiku used an overly broad regular expression in an attempt to detect
URLs to turn into links. That regular expression allowed people to
create links using a number of protocols, including
data:, which can be used by an attacker to take malicious actions.
The vulnerability mentioned here has been confirmed patched by the Google Security Team. I owe them a ton of thanks for organizing this program and giving me a chance to improve my skills.
Interested readers are encouraged to take a look at other vulnerabilities I’ve reported under Google’s Vulnerability Reward Program.