1467804 - Outlook drag and drop initiates redirect to malicious websites

Status: RESOLVED DUPLICATE of bug 1435319

(Firefox :: Untriaged, defect)

Description

[Richard Stewart]

Attachment: sanitised 2.png

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180516032328

Steps to reproduce:

I was using a website which has a 'drag and drop attachment' button and I made the mistake of rather than dragging an email out of the Outlook window to create a file and then dragging that file directly into the Mozilla window, I attempted a drag and drop directly from Outlook to Firefox at which point the vulnerability was triggered.
Pre-reqs. Outlook installed
Step: to reproduce: Drag and drop any email from your Outlook client directly into a Firefox window. It doesn't need to be a page with a drag/drop feature, any window works.



Actual results:

Mozilla Firefox seems to be given the email contents as a set of fields from Outlook rather than a file and then some Firefox logic/code automatically adds prefixes and suffixes to turn it into a domain name and attempt to load the page. For Outlook it seems as though emails auto navigate to the following URL: http://www[.]fromsubjectreceivedsizecategories[.]com/. McAfee and everybody else on VirusTotal think this URL is clean (https://www.virustotal.com/#/url/cbe9aa15e77f3bb27c74682b71a733bc71a323006cadd94ee1780d7f56ce5267/detection) but this URL then redirects to others which at least our McAfee blocks as malware sites (Luckily for me). The crazy thing is that this behavior seems to have been around for over 10 years (https://www.silverspider.com/2007/from-subject-received-size-categories/). Who knows how long the redirect to malicious sites have been there. This still works in the latest release 


Expected results:

Well I was hoping the file would be attached. It turns out dragging from Outlook doesn't produce a file so in reality I don't expect it to work but then again I also don't expect to get redirect automatically to a random URL which redirects to malicious sites. While it's not exactly elegant, even just blacklisting this URL in the code will likely save some people who aren't lucky enough to be protected by web content filtering like I was.