Microsoft patches flaw in Outlook app for Android that could have led to spoofing attacks

Microsoft on Thursday released an updated version of Outlook for Android that patches an important security flaw in the email app, which could have potentially led to spoofing attacks, Hacker News reported. Outlook for Android has been downloaded more than 100 million times on the Play Store. According to an advisory from Microsoft, the vulnerability was related to how Outlook for Android parses specifically crafted email messages. Microsoft’s advisory said, “An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim. The attacker could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user. The security update addresses the vulnerability by correcting how Outlook for Android parses specially crafted email messages.” The company said the flaw was independently reported by five security researchers, and that it was not aware of any actual attacks related to this issue.

Other flaws found recently in Android apps

• Last week, a security flaw in the ‘Shot on OnePlus’ app caused OnePlus to leak the email addresses and other personal information of hundred of its users. 9to5Google said it discovered the “somewhat major” vulnerability in the API OnePlus uses for the app a couple of months ago, and that the company had already fixed it. It said it was unclear for how long users’ data had been leaking in this way, but believed it had been happening since the launch of the ‘Shot on OnePlus’ app many years ago.
• In May, WhatsApp confirmed that a flaw in its app left it vulnerable to a spyware attack that installed a malicious code on a victim’s smartphone through a simple voice call on WhatsApp. FT, which first reported the breach, said the spyware was created by the NSO Group, an Israeli software company. Earlier this week, its majority owner Novalpina Capital, a UK private equity firm, promised a “significant enhancement of respect for human rights” at NSO Group, per The Guardian.
• In April, Hacker News reported that two browser apps created by Xiaomi had a critical vulnerability that had not yet been patched despite being privately reported to the company. The Mi Browser comes built-in with the company’s Mi and Redmi smartphones, while the Mint browser is available on Google Play for non-Xiaomi devices. The vulnerability was an address bar spoofing issue that allowed a malicious website to control the URLs displayed. The flaw could be used to easily trick users into thinking they were visiting a trusted website when actually being served with a phishing or malicious content. The issue only affected the international variants of both web browsers. Xiaomi rewarded the researcher who reported the issue with a bug bounty but left the vulnerability unpatched.