I like to analyse random apps on the Google Play Store and this time I dedicated time to the Outlook.com Android App.
At the time, other guys were looking at the app as well and release this analysis about insecure data storage on the app.
Most, if not all email apps allow HTML emails so I decided to play around a little bit with this.
I wrote the following Python script to send emails via a Gmail account in HTML format:
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
msg = MIMEMultipart(‘alternative’)
msg['Subject'] = “Breaking Stuff”
msg['From'] = fromaddr
msg['To'] = toaddrs
html=” #HTML goes here.
mime = MIMEText(html,’html’)
username = ‘<[email protected]>’
password = ‘<password>’
server = smtplib.SMTP(‘smtp.gmail.com:587′)
server.sendmail(fromaddr, toaddrs, msg.as_string())
What else could I do with this? There is a very useful HTML tag called <meta> that has a cool attribute named http-equiv.
With the value refresh on the http-equiv we can refresh a page to a target URL. Content = 0 indicates a immediate refresh:
<meta http-equiv=”refresh” content=”0;URL=’http://maliciouswebsiteurl'” />
Bingo! Wonder what happened as soon as I open an email?
With this vulnerability we can redirect the user to a malicious website.
I reported this vulnerability to MSRC on May and Microsoft kept me on the loop while the vulnerability was being solved.
The latest version released on July (126.96.36.199.49.7564) has the issue fixed. Please update your Outlook.com app to the latest version.
Microsoft added my name to the Security Researcher Acknowledgments for Microsoft Online Services for September 2014.