Mailsploit: Popular Email Apps Allow Spoofing, Code Injection

春季档日剧新番指南!各类奇葩剧名最惹眼
Tens of email clients, including some of the most popular applications, are plagued by flaws that can be exploited for address spoofing and, in some cases, even for code injection.
The attack method, dubbed Mailsploit, was discovered by Sabri Haddouche, a pentester and bug bounty hunter whose day job is at secure messaging firm Wire.
The researcher found that an attacker can easily spoof the sender’s address in an email, and even bypass spam filters and the DMARC protection mechanism. More than 30 email apps are impacted, including Apple Mail, Mozilla Thunderbird, Outlook and other applications from Microsoft, Yahoo Mail, Hushmail, and ProtonMail.
All affected vendors were notified in the past months. Yahoo, ProtonMail and Hushmail have already released patches, while others are still working on a fix. Some organizations, such as Mozilla and Opera, said they don’t plan on addressing this issue, and others have not informed Haddouche on whether or not fixes will be rolled out.
Mailsploit attacks are possible due to the way non-ASCII characters are encoded in email headers. These headers are required to contain only ASCII characters, but RFC-1342, published in 1992, provides a way to encode non-ASCII characters so that mail transfer agents (MTAs) can process the email.
Haddouche discovered that many email providers, including clients and web-based apps, fail to properly sanitize the decoded string, which leaves room for abuse.
For example, take the following string in the From parameter of the header:
From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS[email protected]mailsploit.com

When decoded by Apple’s Mail application, it becomes:
From: [email protected]\0([email protected])@mailsploit.com
However, iOS discards everything after the null byte, and macOS displays only the first valid email address it detects, which leads to recipients seeing the sender as “[email protected]”
The Mailsploit attack can be dangerous not only because of how the email address can be spoofed. Using this method also bypasses DMARC, a standard that aims to prevent spoofing by allowing senders and recipients to share information about the email they send to each other.
“The server still validates properly the DKIM signature of the original domain and not the spoofed one,” the researcher explained. “While MTAs not only don’t detect and block these spoofed email addresses, they will happily relay those emails as long as the original email seems trustworthy enough (the attacker can therefore ironically profit from setting up DMARC on that email address). This makes these spoofed emails virtually unstoppable at this point in time.”
In some cases, attackers can also execute arbitrary JavaScript code. This is possible by encoding the code they want to execute in the From parameter of the header. The code will get executed either when the malicious email is opened or when certain actions are performed (e.g. creating a new rule, replying to an email), depending on the application.
Related: DMARC Adoption Low in Fortune 500, FTSE 100 Companies
Related: Thirty Percent of CEO Email Accounts Exposed in Breaches
互联网上成长速度最快的生意是监测互联网用户,当我们访问大多数网站时,自己的一举一动都在被监视和记录。
遵循良好的网络安全做法,以防止到您的系统的不必要的访问是非常重要的。把坏家伙们挡在外面,同时允许必需的业务活动正常进行是这一游戏的规则。

猜您喜欢

发掘电脑安全软件功能,打造无广告清爽上网体验 https://www.toutiao.com/a6481601818714440205/
BYOS带来的数据安全风险胜过BYOD
网络安全法普法宣传 004《网络安全法》的突出亮点
通衢穿秦岭 蜀道渡若飞——西成高铁开通见闻
SADSAMSLABO LUXADDICTION
信息安全意识测试