1. Vulnerability Properties
Title: Google AOSP Email App HTML Injection
CVE ID: Pending
CVSSv3 Base Score: 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
Products: AOSP Email App
Advisory Release Date: 16 November 2015
Advisory URL: https://labs.integrity.pt/advisories/google-aosp-email-app-html-injection/
Credits: Discovery by Cláudio André <ca[at]integrity.pt>
2. Vulnerability Summary
A remote attacker is able to send a crafted email with a payload that redirects the user to a target url as soon as he opens the email.
3. Technical Details
The vulnerability can be confirmed by sending a HTML email with the following content:
<meta http-equiv=”refresh” content=”0;URL=’http://www.maliciousurl.com’” />
4. Vulnerable Versions
- Confirmed on versions up until 7.0.
- Users from Android Ice Cream Sandwich (4.0.3) upwards, should migrate the accounts from the AOSP Email App to the Gmail App, since the Gmail App version 5.0+ is supported.
- Users with previous Android versions should upgrade to Ice Cream Sandwich or above where possible or use a different email client.
6. Vulnerability timeline
- 16/6/2015 : Issue reported to Google.
- 26/6/2015 : Issue 178228 created for this vulnerability.
- 7/7/2015: Asked for feedback.
- 24/8/2015: Asked for feedback.
- 22/9/2015: Asked for feedback.
- 23/10/2015: Google replied that there´s currently no plan to fix this issue.
- 16/11/2015: Advisory released