Pretending to be someone you're not in an email has never been quite hard enough—hence phishing, that eternal scourge of internet security. But now one researcher has dug up a new collection of bugs in email programs that in many cases strip away even the existing, imperfect protections against email impersonation, allowing anyone to undetectably spoof a message with no hint at all to the recipient.
On Tuesday, security researcher and programmer Sabri Haddouche revealed Mailsploit, an array of methods for spoofing email in more than a dozen common email clients, including Apple Mail for iOS and macOS, Mozilla's Thunderbird, Microsoft Mail, and Outlook 2016, as well as a long list of less common clients including Opera Mail, Airmail, Spark, Guerrilla Mail and Aol Mail. By combining the bugs in those email clients with quirks in how operating systems handle certain kinds of text, Haddouche was able to craft email headers that, to the recipient, give every indication of having been sent from whatever address the fraudster chooses. The potential for phishing schemes is enormous.
A demo Haddouche has made available on his website describing the Mailsploit attack lets anyone send emails from any address they choose; think potus@whitehouse.gov, tcook@apple.com, john.podesta@gmail.com or any other corporate executive, politician, friend, family member, or associate that might trick someone into giving up their secrets. Thanks to Mailsploit's tricks, no amount of scrutiny in the email client can reveal the fakery.
"This makes these spoofed emails virtually unstoppable at this point in time," writes Haddouche, who works as a developer for secure messaging service Wire.
Email spoofing is a hacker trick as old as email itself. But over the years, administrators of email servers have increasingly adopted authentication systems, most recently one known as Domain-based Message Authentication, Reporting and Conformance, which blocks spoofed emails by carefully filtering out those whose headers pretend to come from a different source than the server that sent them. Partly as a result, phishers today generally have to use fake domains—the part of the email address after the "@"—that resemble real ones, or cram real-looking domains into the "name" field of their email. Either case is fairly easy to spot, if you're careful to hover over or click on the "from" field of any suspicious-looking email.
But Mailsploit's tricks defeat DMARC by exploiting how email servers handle text data differently than desktop and mobile operating systems. By crafting email headers to take advantage of flawed implementation of a 25-year-old system for coding ASCII characters in email headers known as RFC-1342, and the idiosyncrasies of how Windows, Android, iOS, and macOS handle text, Haddouche has shown that he can trick email servers into reading email headers one way, while email client programs read them differently.
"The cleverness of this attack is that everything comes from the right source from the perspective of the mail server, but at the moment it’s displayed to the user it comes from someone else," says Dan Kaminsky, a protocol-focused security researcher and chief scientist at cybersecurity firm White Ops. "The authentication system for the server sees one thing. The authentication system for humans sees another."
Haddouche says he contacted all of the affected firms months ago to warn them about the vulnerabilities he's found. Yahoo Mail, Protonmail and Hushmail have already fixed their bugs, while Apple and Microsoft have told Haddouche they're working on a fix, he says. A Microsoft spokesperson wrote to WIRED to note that Outlook.com, Office 365, and Exchange 2016 aren't affected by the attack. Most other affected services haven't responded, Haddouche says. Haddouche's full list of affected email clients and their responses to his Mailsploit research is here.1
Mozilla and Opera, Haddouche says, both told him they don't plan to fix their Mailsploit bugs, instead describing them as server-side problems. (On Wednesday, a Thunderbird developer Jörg Knobloch wrote to WIRED to note that Thunderbird will make a patch avaiable in the next 24 hours.) Blaming the server, rather than the email client, may be more than just a lazy dodge: Haddouche tells WIRED that email providers and firewalls can also be set to filter out his attack, even if email clients remain vulnerable.1
Beyond the specific bugs Mailsploit highlights, Haddouche's research points to a more fundamental problem with email authentication, says Kaminsky. Security add-ons for email like DMARC were designed to stop spam, not targeted spoofing, he points out. The fact that its whitelisting function also prevents most spoofing is almost an accident, he argues, and one that actually guarantees an email comes from who it appears to come from. "This all part of the goop of email being a '90s protocol before security was a big deal," Kaminsky says. "The system that accidentally prevents you from pretending to be the president of the US is good enough for spam protection, but it’s not good enough for phishing protection."
Haddouche recommends that users stay tuned for more security updates to their email clients to fix the Mailsploit bugs, and that they consider switching in general to secure messengers like Wire, Whatsapp or Signal, which use more robust authentication mechanisms.
And in the meantime, it's always wise to treat emails with caution. Before opening an attachment or even clicking a link, it's worth reaching out to the person via another channel for confirmation the message comes from who it claims to come from. And if you do get a message from potus@whitehouse.gov, don't give him your PayPal password.
1Updated 12/6/2017 at 5:55 pm EST to include comments from Microsoft and a Thunderbird developer.
