Outlook.com android app HTML injection vulnerability

I like to analyse random apps on the Google Play Store and this time I dedicated time to the Outlook.com Android App.

At the time, other guys were looking at the app as well and release this analysis about insecure data storage on the app.

Most, if not all email apps allow HTML emails so I decided to play around a little bit with this.

I wrote the following Python script to send emails via a Gmail account in HTML format:

import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText

fromaddr = ‘<email@gmail.com>’
toaddrs = ‘<email@outlook.com>’

msg = MIMEMultipart(‘alternative’)
msg['Subject'] = “Breaking Stuff”
msg['From'] = fromaddr
msg['To'] = toaddrs

html=” #HTML goes here.
mime = MIMEText(html,’html’)

#Account Credentials
username = ‘<email@gmail.com>’
password = ‘<password>’

server = smtplib.SMTP(‘smtp.gmail.com:587′)
server.sendmail(fromaddr, toaddrs, msg.as_string())

Although some HTML tags were being output on the email body, webviews by default do not have Javascript enabled and this particular webview does not call the setJavascriptEnable() method, so no Javascript for you.

What else could I do with this? There is a very useful HTML tag called <meta> that has a cool attribute named http-equiv.

With the value refresh on the http-equiv we can refresh a page to a target URL. Content = 0 indicates a immediate refresh:

<meta http-equiv=”refresh” content=”0;URL=’http://maliciouswebsiteurl'” />

Bingo! Wonder what happened as soon as I open an email?

With this vulnerability we can redirect the user to a malicious website.

I reported this vulnerability to MSRC on May and Microsoft kept me on the loop while the vulnerability was being solved.

The latest version released on July ( has the issue fixed. Please update your Outlook.com app to the latest version.

Microsoft added my name to the Security Researcher Acknowledgments for Microsoft Online Services for September 2014.

Written by Cláudio André