News

Information security experts published an exploit for Outlook for Android vulnerability

Last week it was reported that Outlook app for Android, which is used by more than 100,000,000 people, eliminated dangerous XSS bug.

Vulnerability received a CVE-2019-1105 identifier and affected Outlook for Android prior to version 3.0.88. The problem was in a so-called stored XSS, that is, a “stored” or “permanent” XSS vulnerability, and was related to how the application parses incoming emails.

One of the experts who discovered the problem was F5 Networks specialist Bryan Appleby. Now he has published detailed information about the vulnerability and working on PoC-exploit for her.

Researcher said that he discovered a bug by chance when sharing JavaScript code with his friends via email. In fact, the problem was related to mail server parses HTML in the letter, and allows the attacker to embed the iframe into the message that receives a victim.

“The ability to embed an iframe into an email is already a vulnerability. Even worse, as the iframe was not affected by the block external images setting that prevents tracking pixels and web beacons. But if an attacker could gain the ability to run JavaScript in an email, there could be a much more dangerous attack vector”, – told Bryan Appleby.

Bryan Appleby
Bryan Appleby
Running JavaScript inside such an iframe allowed an attacker to read the content associated with the application in the context of the Outlook user logged in (that is, to steal cookies, tokens, and even contents of the mailbox).

As it turned out, Appleby told Microsoft about the bug back in December 2018, but the vulnerability was confirmed only in March 2019, after a specialist provided PoC-exploit to developers. He corrected the problem only this month, that is, more than six months later after its discovery.

Since Appleby was not the only expert who noticed dangerous XSS in Outlook, The Hacker News published a video demonstrating a vulnerability in action.

[youtube https://www.youtube.com/watch?v=l8MfTpckBcg&w=640&h=360]

An independent security expert Gaurav Kumar, who also found a bug and reported it to Microsoft, provided the video.

Source: https://www.f5.com

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button