AOH :: HP Unsorted G :: B06-2286.HTM

Gmail/gtalk web client dos
Gmail/Gtalk web client DoS
Gmail/Gtalk web client DoS

Gmail/Gtalk web client DoS


It is trivial to freeze the browser of a known user who is currently using Gmail with the Gtalk feature enabled.  This could lead to a denial of service attack against any user of Gmail who is using the web client.

Technical Details

Gtalk within Gmail converts some incoming emoticons into animated gifs.  Sending a large quantity at once will cause the recipient's browser to lock up until the message is fully converted.  With relatively few (100) emoticons, you can freeze a browser for a few minutes.  Larger quantities, or multiple messages could extend this time indefinitely.  If the Gmail web client is used to send the message, the sender's browser will also lock up.

The standalone Google Talk client for Windows does not suffer from this problem, and is the easiest way to send the messages to a target.  In theory, any properly configured Jabber client could be used.  Conceivably, modified Jabber clients could be configured to run a widespread DoS attack against active Gmail users at a low cost to the attacker, since the message size is small and requires little bandwidth.

Known Affected Browsers:
Internet Explorer 6.0
Internet Explorer 7.0 Beta 2
Seamonkey 1.0

Known Unaffected Browsers:
Safari 1.3.2

Any browser which the Gtalk client does not run in will be unaffected.


Disabling the Gtalk feature while using Gmail will protect a user, at the cost of the ability to chat.


Special thanks to Kevin Fleming for help research this issue.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to