Google AOSP Email App HTML Injection

The Google AOSP Email App is vulnerable to HTML Injection on the email body. It allows a remote attacker to be able to send a crafted email with a payload that redirects the user to a target url as soon as he opens the email. This issue is not related with the email provider configured on the app but with the incorrect filter of potential dangerous tags on the client side.

In the following PoC we sent an email with the HTML tag meta using the attribute http-equiv refresh to redirect the user to the target URL.

As you can see from this PoC, this vulnerability has a dangerous potential for phishing attacks. With a bit of creativity, a convincing phishing scenario is plausible.

Other vectors like using intent-based URI are also another possibility. Just this week we learned that in MobilePwn2Own, an exploit was showcased that explores a vulnerability in Javascript V8 engine in Chrome, where a user just needs to browse to a page and it installs a apk without any kind of user interaction.  This exploit combined with the Email app vulnerability is a very dangerous combo.

This app is available in all Android versions up to Kitkat(4.4.4). This application exists because up until Gmail for Android 5.0, it was the only way to configure other email providers (Exchange Servers, Yahoo,Hotmail,etc) on Android.

From Android Lolipop (5.0) upwards , the AOSP app no longer exists in the system.

Since probably that are still a lot of users using the AOSP Email App we decided to contact Google regarding this issue. After some interactions, Google gave us the feedback that they don't have plans for the fix of this vulnerability.

Recommendations:

  • Users from Android Ice Cream Sandwich (4.0.3) upwards, should migrate the accounts from the AOSP Email App to the Gmail App, since the Gmail App version 5.0+ is supported.
  • Users with previous Android versions should upgrade to Ice Cream Sandwich (4.0.3) or above where possible or use a different email client.

References:

 

 

Written by Cláudio André