Information security experts published an exploit for Outlook for Android vulnerability

Last week it was reported that Outlook app for Android, which is used by more than 100,000,000 people, eliminated dangerous XSS bug.

Vulnerability received a CVE-2019-1105 identifier and affected Outlook for Android prior to version 3.0.88. The problem was in a so-called stored XSS, that is, a “stored” or “permanent” XSS vulnerability, and was related to how the application parses incoming emails.

One of the experts who discovered the problem was F5 Networks specialist Bryan Appleby. Now he has published detailed information about the vulnerability and working on PoC-exploit for her.

Researcher said that he discovered a bug by chance when sharing JavaScript code with his friends via email. In fact, the problem was related to mail server parses HTML in the letter, and allows the attacker to embed the iframe into the message that receives a victim.

“The ability to embed an iframe into an email is already a vulnerability. Even worse, as the iframe was not affected by the block external images setting that prevents tracking pixels and web beacons. But if an attacker could gain the ability to run JavaScript in an email, there could be a much more dangerous attack vector”, – told Bryan Appleby.

Running JavaScript inside such an iframe allowed an attacker to read the content associated with the application in the context of the Outlook user logged in (that is, to steal cookies, tokens, and even contents of the mailbox).

As it turned out, Appleby told Microsoft about the bug back in December 2018, but the vulnerability was confirmed only in March 2019, after a specialist provided PoC-exploit to developers. He corrected the problem only this month, that is, more than six months later after its discovery.

Since Appleby was not the only expert who noticed dangerous XSS in Outlook, The Hacker News published a video demonstrating a vulnerability in action.

An independent security expert Gaurav Kumar, who also found a bug and reported it to Microsoft, provided the video.

Source: https://www.f5.com