Feeds

Another 'NSA-proof' webmail biz popped by JavaScript injection bug

alert('Thomas Roth strikes again');

Website security in corporate America

German startup Tutanota has admitted its webmail service was vulnerable to a cross-site scripting bug despite boasting it offered an "NSA-proof email service."

The flaw, which would have allowed attackers to inject malicious JavaScript into victims' browsers, was uncovered and reported last night by German security researcher Thomas Roth. That's the same researcher who uncovered a similarly severe flaw in rival ProtonMail service. Both websites perform message encryption and decryption in the browser, keeping the crypto keys in the hands of the users rather than the providers (and governments).

Tutanota confirmed it had fixed the XSS hole in an advisory today that sought to play down the significance of the flaw:

It was a possible cross-site-scripting attack when forwarding an email. The issue has already been fixed. The attack worked as follows: When forwarding an email, the subject was embedded in the body of the new email unsanitized. This made it theoretically possible for attackers to manipulate the subject upon sending an email to a Tutanota email address. Then the attacker had to trick the user into forwarding this email. This way he would have had the opportunity to execute JavaScript code in the context of the web application.

Earlier this week, prior to Roth's discovery, Tutanota told The Register it had run an "extensive penetration test" during which cross-site scripting attacks were attempted. These tests [results PDF] were carried out by Syss GmbH, which was unable to turn up any problems.

"Cross site scripting attacks are prevented by a sanitizer which filters embedded scripts from the emails sent and received via Tutanota," the secure email startup assured us before Roth's XSS bug was found this week. "This sanitizer was active since Tutanota was published."

"During the penetration test cross site scripting attacks were executed, but no vulnerability found," it added.

Of course, it's entirely possible for one researcher to find flaws that others miss. However, Roth unearthed the vuln minutes after he started investigating the security of Tutanota. The German biz patched the bug within a day of being alerted to the vulnerability.

Cofounder and developer of Tutanota Arne Möhle said: “If a serious security vulnerability is discovered, we would rather shut down our service until the vulnerability is eliminated.”

The discovered subject-line vulnerability in Tutanota is "not as obvious as the ProtonMail [XSS] and relies on a small user interaction," Roth told El Reg.

He said his discovery nonetheless proves Tutanota's "XSS is not possible" claim is foolhardy even "though [Tutanota] really tries and does a much, much better job in that regard than ProtonMail."

"Obviously I did not conduct a real penetration test or anything, just a very quick look. Reviewing their cryptography would require more work," he added.

Tutanota, which offers end-to-end encryption of messages, launched a freebie product aimed at ordinary netizens on 2 July. The announcement was tainted by the usual "NSA-proof" hype, but it was able to reveal its cryptography:

Tutanota encrypts locally in the browser with a standardized, hybrid method consisting of a symmetrical and an asymmetrical key with RSA 2048 Bit and AES 128 Bit. This encryption process takes place automatically between Tutanota users. If a Tutanota user sends an encrypted email to an external recipient, the email is encrypted with AES 128 Bit with the help of a password exchange. Subject, content and attachments are automatically encrypted. The recipient can also answer directly with an encrypted email.

The firm was founded as a spin-off from the L3S Research Center at Leibniz University Hanover in 2012 by three former students. Tutanota is hoping to make money by offering a premium version of its secure email service featuring additional storage and more functionally, making it attractive to businesses.

Tutanota Starter, which is pitched at corporate IT, is an Outlook Addin that encrypts emails directly in Outlook.

The technology has not been subjected to peer review by cryptographers; the sort of people who uncovered flaws in Lavabit, which even Edward Snowden trusted (at least up to a point).

End-to-end encrypted webmail in the browser is a difficult problem to crack. Tutanota is far from the first to come unstuck despite confident claims to the contrary beforehand. Lavabit, ProtonMail, Hushmail et al have all had to backtrack on their respective security claims for one reason or another.

Tutanota claimed it was still ahead of its rivals because it refuses to touch users' unencrypted messages.

"It seems like services like Lavabit and Hushmail had some type of access to the plain text mails, e.g. because the user password was sent to the server," a Tutanota spokesman told El Reg.

"With Tutanota we can not get access to the user's private key because it is stored encrypted on the server. It is encrypted with the user's password and that password is never sent to the server. Decryption of the user's private key takes place on the client."

Without speaking specifically about Tutanota, Roth outlined the general problem many secure mail services face in living up to their lofty promises.

"The problems that generally all installation-less 'secure mailers' have persists though: if the server is hacked it can just send over malicious JavaScript to get the password and/or e-mail contents from the user," he told El Reg. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.