Some email clients are vulnerable to attacks via 'mailto' links

guest · Aug 18, 2020

Some email clients are vulnerable to attacks via 'mailto' links
GNOME Evolution, KDE KMail, IBM/HCL Notes, and older versions of Thunderbird found to be vulnerable
August 18, 2020
https://www.zdnet.com/article/some-email-clients-are-vulnerable-to-attacks-via-mailto-links/

A lesser-known technology known as "mailto" links can be abused to launch attacks on the users of email desktop clients.

The new attacks can be used to secretly steal local files and have them emailed as attachments to attackers, according to a research paper published last week by academics from two German universities.
Attacking mailto links
The "vulnerability" at the heart of these attacks is how email clients implemented RFC6068 — the technical standard that describes the 'mailto' URI scheme.
Click to expand...

The RFC6068 (mailto) standard supports a large set of parameters for customizing mailto links, including rarely used options that can be used to control the email's body text, reply-to email address, and even email headers.
SOME EMAIL CLIENTS WERE SUPPORTING DANGEROUS MAILTO PARAMETERS
But in a research paper named "Mailto: Me Your Secrets" [PDF], academics from Ruhr University Bochum and the Münster University of Applied Sciences said they found email client apps that support the mailto standard with some of its most exotic parameters that allow for attacks on their users.

In particular, researchers looked at the mailto "attach" or "attachment" parameters that allow mailto links to open new email compose/reply windows with a file already attached.
Academics argue that attackers can send emails containing boobytrapped mailto links or place boobytrapped mailto links on websites that, when clicked, could surreptitiously append sensitive files to the email window.
Click to expand...

Research paper: "Mailto: Me Your Secrets - On Bugs and Features in Email End-to-End Encryption"
(PDF - 363 KB): https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2020/08/15/mailto-paper.pdf

guest · Aug 18, 2020

mood said: ↑

Some email clients are vulnerable to attacks via 'mailto' links August 18, 2020

Research paper: "Mailto: Me Your Secrets - On Bugs and Features in Email End-to-End Encryption"
(PDF - 363 KB): https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2020/08/15/mailto-paper.pdf
Click to expand...

ADDITIONAL RESEARCH ON ATTACKING ENCRYPTED PGP AND S/MIME
However, the research team's full paper was not focused on documenting the implementations of the mailto URI scheme in email clients. This is a small portion of the paper that we chose to highlight in this article.

In their paper, academics primarily focused on finding bugs in email clients that could be abused to bypass (not break) email encryption technologies such as PGP and S/MIME.
Researchers said they were successful in finding three new attack techniques that leveraged bugs in email clients to steal PGP private keys from victims, which would then allow attackers to decrypt the victim's entire communications.

The three new attack classes are listed below, with item 3) being the technique we described above in greater detail [...]
Click to expand...

Key replacement - Email clients may automatically install certificates contained in S/MIME communications. Such a feature, if available, can be misused to silently replace the public key used to encrypt messages to a certain entity.

Dec/Sig oracles - Using standard mailto parameters, email clients can be tricked to decrypt ciphertext messages or to sign arbitrary messages, and exfiltrate them to an attacker-controlled IMAP server, if the email client supports automatically saving message drafts.

Key exfiltration - If implemented by the email client, an attacker can create a specially crafted mailto URI scheme, in order to force the inclusion of the OpenPGP private key file on disk into an email to be sent back to the attacker.

All in all, academics said that eight of the 20 email clients they tested for their research project were vulnerable to at least one of the three attacks listed above.
Click to expand...

Log in or Sign up

Some email clients are vulnerable to attacks via 'mailto' links

guest Guest

guest Guest

Log in or Sign up

Some email clients are vulnerable to attacks via 'mailto' links

guest Guest

guest Guest

Useful Searches