Exploiting JavaScript code in Android Email Apps
Email clients are very popular apps, some come preinstalled in handsets via OEM and others can be downloaded from the market place. Email is a communication method that will never die because of its easy of use and simplicity.
I have several email accounts, one for personal email (using my own domain), a Gmail email account, a Microsoft Live account and a school email account (using Google classroom service). I used K-9 from the start since it allowed me to sync my personal email with my gmail email and have merged inbox, there are other email clients that also allow this funcionality such as BlueMail (which I used till now). Today it occured me that I had to send an email from my computer and I decided to use the Thunderbird HTML feature to make a table. I quickly figured out that the HTML feature was a double-edged tool, I could use the script tag and execute whatever I wanted, thus making me the master of the universe.
I knew BlueMail had a JS auto load feature and I never thought anything of it, until now.
The security test
I downloaded some clients from the Play Store, listed below as well as Install count:
- BlueMail: 1M
- K-@: 50K
- K-9: 5M
- TypeApp: 1M
- Aqua Mail: 1M
- Newton: 1M
- Gmail/Inbox: 1B
Testing procedure:
I sent three emails to my own account, one with an alert dialog [js: alert()], one with a document writeIn line and one with a redirection (using window.location.href) to an arbitrary url.
I sent the emails using Thunderbird. Example Email below:
I proceed to open the email in the email clients.
The results:
K-@/K-9
These Email clients were not affected by the auto executed JS exploit, K-@ loaded the email correctly without displaying anything from the JavaScript code, so did K-9.
Alert: Not affected.
Document write: Not affected.
Redirection: Not affected.
Aqua Mail
AquaMail did not execute the JavaScript code.
Alert: Not affected.
Document write: Not affected.
Redirection: Not affected.
Newton (CloudMagic)
Newton was not affected by this bug.
Alert: Not affected.
document write: Not affected.
redirection: Not affected.
Gmail/Inbox
Again, not affected by JS bug.
Alert: Not affected.
document write: Not affected.
redirection: Not affected.
The affected clients
BlueMail and TypeApp are affected by the JavaScript bug. The layout is similar, if not equal and there were both running JS when the email was opened by the user!
So… What can one do with this exploit? JS enables you to be the next generation email scammer.
BlueMail showing a JavaScript Alert:
TypeApp showing an email partially written with document.WriteIn JavaScript code:
Now, lo and behold for the final trick: the ultimate email scam!
First, I make a super legit (don’t judge!) email:
Then, I insert this:
<script>window.location.href = ‘https://www.youtube.com/watch?v=dQw4w9WgXcQ';</script>
And watch caos happen:
Conclusion
Well… don’t use the affected email clients! I personally use K-9 and you should as well. As per a solution to this problem, I suggest TypeApp and BlueMail put a toggle on the setting to auto-execute JS code or add a banner at the top to allow users to show the JavaScript enabled email. Now, see how many of your friends use BlueMail/TypeApp and create a mass email. Entropy!
UPDATE:
BlueMail client will not execute JS in the next update, just make sure you are on the next update that follows 1.9.2.11, TypeApp is still affected by the JS bug as of now.
