Aquamail is vulnerable for Mailsploit

[Itakfule]

According to the article at https://thehackernews.com/2017/12/email-spoofing-client.html also Aquamail is vulnerable to the Mailsploit Exploit. Is there a new version planned with a fix for this vulnerability and when can we expect this version?

[Kostya Vasilyev]

Interesting. So this is a way to bypass DMARC.

I just filed a task and will try to figure it out shortly.

PS - it says on the web site under "responsible disclosure"

All vendors were contacted at least 3 months prior to the publication, some of them even 4 or 5 months before the publication.

We never received any such notice (and I personally check the support mailbox every day).

[Kostya Vasilyev]

I just used their web site to send myself a test email - this is what it looks like in Aqua Mail.

It looks exactly the same in Fastmail web mail too. Nothing like the expected "potus@whitehouse.gov".

[Itakfule]

Many thanks for your response. That's really strange, when you didn't receive such a request. Maybe they have sent his request to Mobisystems instead to you directly. Hopefully it can be fixed in relative short time.

BTW: I have sent me the test mails also. In my case 3 of them appears with the wrong sender address. If I look in to the same Inbox with eM Client, all mails displayed correctly.

[Kostya Vasilyev]

Re:  That's really strange, when you didn't receive such a request. Maybe they have sent his request to Mobisystems instead to you directly.

Like I said, I read "support / at / aqua-mail / dot com" every day. Maybe they sent it info / mobisystems or something.

Anyway, I'll try to spend some time to first understand the scenarios to which we're vulnerable and then try to fix them.

The general technique they use is to use data that's not valid - so I'll also have to decide what the "correct" behavior should be in each case.

[Itakfule]

Maybe it helps... Roundcube, a PHP webmailer I use personally, has fixed the vulnerability. You can find the source in GitHub.

[Kostya Vasilyev]

Well, I hardly think we'll be able to reuse PHP code in our Android app

The hard part is figuring out what to do - as I see it so far, there is no single ("the") vulnerability, and it's not a vulnerability either, really.

There is a bunch of different cases of malformed input data - each of which may or may not have an effect on a particular email app, and when it does, the actual "effect" can vary too.

[Kostya Vasilyev]

Please note that some valid but "interesting" cases are possible.

For example:

From: potus@whitehouse.gov <foo@bar.com>

is perfectly valid, where "potus@whitehouse.gov" is the "human readable name" that's (probably deliberately) made to look like an email address.

In Aqua Mail, in message lists / message view, we try to show the "human readable name" where possible.

[Kostya Vasilyev]

https://www.aqua-mail.com/download/AquaMail-market-1.13.0-696-dev-28adc0074df8.apk

Fixed:

Every case of "creatively malformed" data (e.g. the "name" after Q/B decoding containing \0 / \n / quote char).

Not fixed:

Perfectly valid but confusing "human name looks like an email" (e.g. potus@whitehouse.gov <foo@bar.com>), will look at that next.

[Itakfule]

I have installed this version now. Maybe I understand the problem wrong, but if I understand it correctly, the sender should be in the most cases demo@mailsploit.com and not potus@whitehouse.gov. if I look now in inbox in the maillist view, most of the mails seem to be from potus@whitehouse.gov (I have deleted other mails witch seems to be ok for me).

I can't take a screenshot right now, don't know why. But I count 8 mails from the test, with spoofed sender address.

[Kostya Vasilyev]

I have installed this version now. Maybe I understand the problem wrong, but if I understand it correctly, the sender should be in the most cases demo@mailsploit.com and not potus@whitehouse.gov. if I look now in inbox in the maillist view, most of the mails seem to be from potus@whitehouse.gov (I have deleted other mails witch seems to be ok for me).

First - just installing won't do anything.

You need to re-send the messages (or to move them into some other folder, refresh in the app so they disappear, move them back, refresh again).

Second: "if I understand it correctly, the sender should be in the most cases demo@mailsploit.com and not potus@whitehouse.gov"

Not necessarily this is the "perfectly valid but confusing" part above.

And this one is much less clear - is avoiding "valid but confusing" sender names within the scope of a mail app?

How far do you want a mail app to go - in "fixing" (but really "mangling") something that is perfectly valid but may be confusing to the user?

[Kostya Vasilyev]

https://www.aqua-mail.com/download/AquaMail-market-1.13.0-697-dev-12779c6b9135.apk

"Fixes" (but really "mangles") the "perfectly valid but confusing" sender names.

For example:

From: potus@whitehouse.gov <foo@bar.com>

will *not* show potus@whitehouse.gov because it looks too much like an email address and will show foo@bar.com instead.

The change affects message lists, message view, widgets, notifications.

[Itakfule]

Ahhh this one looks much better. For every test i make, i send me a fresh set of mails. For me, this latest one looks really good.

BTW: What makes me a little bit wonder is, that in the available google sheet, the Gmail App (Android) is listed as "not affected" for all terms of this issue. Nor spoofing, nor code injection. But if i test it here, i see that it is at least affected for spoofing which isn't fixed for the Gmail App. Ohh and they don't have IMAP/Idle support? What? Stupid client.

Additionally, i have received today a update for the build in Samsung Mail App on my phone. First thought was "hey they have seen the vulnerability and have fixed them to, great!".... But i was wrong... no fix...

So the only fixed client seems to be currently AquaMail. Many Thx for the fast fix. Now the only thing what i miss is again implementation of PGP/Mime. I love this App.

[znullz]

Hello,

Just to clarify, I did sent the e-mail (see attachments).

Best Regards,
Sabri

[Kostya Vasilyev]

Re: Just to clarify, I did sent the e-mail (see attachments).

DOH! Don't know how we missed it then

Anyway, thanks for everything!