Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

Outlook email auth bypass

Two bugs in Outlook makes it possible for the attacker to make the email to appear to be coming from an arbitrary email address or even no email (which in outlook signifies that it is from the same organization):

  • display name and from email are in same visual element , there is no isolation between them, thus an authenticated piece of information(from email) can be manipulated by an arbitrary attacker controlled string (display name)
  • Instead of letting user know that “display name”+“from email” is very long in some way it is quietly truncated.

Thus attacker can simply push the “from email” out of the screen. This is as severe as a browser bug that lets websites choose what they want to show in address bar. Outlook email auth bypass