#1884 ✓fixcommitted
hadmob

Mailsploit Vulnerability

Reported by hadmob | December 6th, 2017 @ 08:02 AM

Hi, I used the demo at https://www.mailsploit.com/ and found out MailMate is fully or partly vulnerable to several of the tests.

Regards,
hadmob

Comments and changes to this ticket

  • benny

    benny December 6th, 2017 @ 08:54 AM

    • State changed from “new” to “reproduced”

    I'm looking into it.

  • benny

    benny December 6th, 2017 @ 02:48 PM

    • State changed from “reproduced” to “fixcommitted”

    There's a test release available now (r5440): Hold down ⌥ when clicking “Check Now” in the Software Update preferences.

  • hadmob

    hadmob December 6th, 2017 @ 03:05 PM

    I've tried the fix but it doesn't seem to be working. The From header still often contains the fake potus@whitehouse.gov address alone, and even when it is both that and the demo@mailsploit.com address in the header, when you reply, you send mail To: potus@whitehouse.gov.

  • benny

    benny December 6th, 2017 @ 03:14 PM

    Well, it works in the sense that MailMate now identifies the correct email address in all cases. The “From” column shows the “name” part of the From headers which just happens to be email addresses. But I'll think about what I can do to make this less deceptive. Maybe I should simply disallow anything that looks like an email address in the name part...

    When replying, MailMate respects the “Reply-To” email header. That's just email by design (although granted, probably bad design).

    Email spoofing has always been easy -- even without the Mailsploit techniques.

  • hadmob

    hadmob December 6th, 2017 @ 03:36 PM

    Yes, perhaps some kind of marking the name part, such as printing it in italics or something, would be good to have. Or filtering it out alltogether, but that can be just as confusing as leaving it there unmarked.

    Maybe a special warning flag such as ☠️ or similar could be shown alongside all suspicious headers, i.e. those that use special formatting that indicates mailsploit attack. And on mouse-over it could just explain itself in a bubble, and perhaps show the unparsed header to the user.

  • benny

    benny December 8th, 2017 @ 11:35 AM

    I've now gone with a solution where @ is replaced with a skull whenever the name part of an address header contains @. It should show up quite rarely, because MailMate now also ignores it when the name part contains the same email address as the address part. This is in the latest test release and it only affects displayed names -- it does not affect searching or any other features.

  • hadmob

    hadmob December 10th, 2017 @ 06:04 PM

    Great, thank you.

  • benny

    benny December 13th, 2017 @ 02:10 PM

    • State changed from “fixcommitted” to “fixreleased”

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Mac OS X email client.

Shared Ticket Bins

People watching this ticket

Attachments

Pages