A few months back, while testing clients for kinetic CSS support I stumbled upon something peculiar when I opened a test email in Office 365. A purple div was appearing at the bottom left of the browser window within the area of the client that was outside of the email itself.
After a few quick tests, I realized that Office 365’s CSS sanitizer wasn’t removing CSS with
position: fixed. What this means is that someone could create an email with elements styled to look like they’re part of Office 365’s user interface and when the user opens the email, the elements will appear outside the email display area tricking the user that the elements are part of the email client itself.
I also discovered that negative margins were not removed as well allowing content to appear vertically above the email display area.
Reporting the bug
Alarmed, I reported the bug through Microsoft’s security vulnerability page and quickly received notice that they were looking into it.
In a matter of weeks the potential exploit was fixed in Office 365, but because the bug was also present in OWA for Microsoft Exchange Server it was going to take a few months before a patch would go out to address this bug.
Now that the patch has rolled out, I’m at liberty to talk about it. I even got an entry in their security advisory acknowledgement page!
Naturally, I took the opportunity to provide some feedback on Office 365 rendering. Since my interactions have been through Microsoft’s security team, I don’t know if the feedback will make it into the product – though Jonathan, my friendly contact told me that the Office 365 team is receptive!
This experience shows that there is a real benefit for email client developers (are you hearing me Google?) to engage with the email community as all of us are working towards a common goal: To make the email experience better.