Google AOSP Email App HTML Injection
The Google AOSP Email App is vulnerable to HTML Injection on the email body. It allows a remote attacker to be able to send a crafted email with a payload that redirects the user to a target url as soon as he opens the email. This issue is not related with the email provider configured on the app but with the incorrect filter of potential dangerous tags on the client side.
In the following PoC we sent an email with the HTML tag meta using the attribute http-equiv refresh to redirect the user to the target URL.
As you can see from this PoC, this vulnerability has a dangerous potential for phishing attacks. With a bit of creativity, a convincing phishing scenario is plausible.
Other vectors like using intent-based URI are also another possibility. Just this week we learned that in MobilePwn2Own, an exploit was showcased that explores a vulnerability in Javascript V8 engine in Chrome, where a user just needs to browse to a page and it installs a apk without any kind of user interaction. This exploit combined with the Email app vulnerability is a very dangerous combo.
This app is available in all Android versions up to Kitkat(4.4.4). This application exists because up until Gmail for Android 5.0, it was the only way to configure other email providers (Exchange Servers, Yahoo,Hotmail,etc) on Android.
From Android Lolipop (5.0) upwards , the AOSP app no longer exists in the system.
Since probably that are still a lot of users using the AOSP Email App we decided to contact Google regarding this issue. After some interactions, Google gave us the feedback that they don't have plans for the fix of this vulnerability.
Recommendations:
- Users from Android Ice Cream Sandwich (4.0.3) upwards, should migrate the accounts from the AOSP Email App to the Gmail App, since the Gmail App version 5.0+ is supported.
- Users with previous Android versions should upgrade to Ice Cream Sandwich (4.0.3) or above where possible or use a different email client.
References:
Written by Cláudio André
Latest Advisories
- CVE-2024-28627 - Password protection bypass with javascript tampering
- CVE-2024-25697 - Cross-site Scripting vulnerability in Portal for ArcGIS
- CVE-2024-0396 - Missing Server-Side Input Validation leads to computational errors and potential denial of service in Progress MOVEit Transfer
- CVE-2023-48166 - Path Traversal vulnerability in Atos Unify OpenScape Voice
- CVE-2023-26218 - Cross-site Scripting vulnerabilities in TIBCO Nimbus
Latest Articles
- The Curious Case of Apple iOS IKEv2 VPN On Demand
- Gmail Android app insecure Network Security Configuration.
- Reviewing Android Webviews fileAccess attack vectors.
- Droidstat-X, Android Applications Security Analyser Xmind Generator
- Uber Hacking: How we found out who you are, where you are and where you went!
© 2024 INTEGRITY S.A. All rights reserved. | Cookie Policy