Tens of email clients, including some of the most popular applications, are plagued by flaws that can be exploited for address spoofing and, in some cases, even for code injection.
The attack method, dubbed Mailsploit, was discovered by Sabri Haddouche, a pentester and bug bounty hunter whose day job is at secure messaging firm Wire.
The researcher found that an attacker can easily spoof the sender’s address in an email, and even bypass spam filters and the DMARC protection mechanism. More than 30 email apps are impacted, including Apple Mail, Mozilla Thunderbird, Outlook and other applications from Microsoft, Yahoo Mail, Hushmail, and ProtonMail.
All affected vendors were notified in the past months. Yahoo, ProtonMail and Hushmail have already released patches, while others are still working on a fix. Some organizations, such as Mozilla and Opera, said they don’t plan on addressing this issue, and others have not informed Haddouche on whether or not fixes will be rolled out.
Mailsploit attacks are possible due to the way non-ASCII characters are encoded in email headers. These headers are required to contain only ASCII characters, but RFC-1342, published in 1992, provides a way to encode non-ASCII characters so that mail transfer agents (MTAs) can process the email.
Haddouche discovered that many email providers, including clients and web-based apps, fail to properly sanitize the decoded string, which leaves room for abuse.
For example, take the following string in the From parameter of the header:
From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS[email protected]mailsploit.com
When decoded by Apple’s Mail application, it becomes:
From: [email protected]