Feeds

Another 'NSA-proof' webmail biz popped by JavaScript injection bug

alert('Thomas Roth strikes again');

Choosing a cloud hosting partner with confidence

German startup Tutanota has admitted its webmail service was vulnerable to a cross-site scripting bug despite boasting it offered an "NSA-proof email service."

The flaw, which would have allowed attackers to inject malicious JavaScript into victims' browsers, was uncovered and reported last night by German security researcher Thomas Roth. That's the same researcher who uncovered a similarly severe flaw in rival ProtonMail service. Both websites perform message encryption and decryption in the browser, keeping the crypto keys in the hands of the users rather than the providers (and governments).

Tutanota confirmed it had fixed the XSS hole in an advisory today that sought to play down the significance of the flaw:

It was a possible cross-site-scripting attack when forwarding an email. The issue has already been fixed. The attack worked as follows: When forwarding an email, the subject was embedded in the body of the new email unsanitized. This made it theoretically possible for attackers to manipulate the subject upon sending an email to a Tutanota email address. Then the attacker had to trick the user into forwarding this email. This way he would have had the opportunity to execute JavaScript code in the context of the web application.

Earlier this week, prior to Roth's discovery, Tutanota told The Register it had run an "extensive penetration test" during which cross-site scripting attacks were attempted. These tests [results PDF] were carried out by Syss GmbH, which was unable to turn up any problems.

"Cross site scripting attacks are prevented by a sanitizer which filters embedded scripts from the emails sent and received via Tutanota," the secure email startup assured us before Roth's XSS bug was found this week. "This sanitizer was active since Tutanota was published."

"During the penetration test cross site scripting attacks were executed, but no vulnerability found," it added.

Of course, it's entirely possible for one researcher to find flaws that others miss. However, Roth unearthed the vuln minutes after he started investigating the security of Tutanota. The German biz patched the bug within a day of being alerted to the vulnerability.

Cofounder and developer of Tutanota Arne Möhle said: “If a serious security vulnerability is discovered, we would rather shut down our service until the vulnerability is eliminated.”

The discovered subject-line vulnerability in Tutanota is "not as obvious as the ProtonMail [XSS] and relies on a small user interaction," Roth told El Reg.

He said his discovery nonetheless proves Tutanota's "XSS is not possible" claim is foolhardy even "though [Tutanota] really tries and does a much, much better job in that regard than ProtonMail."

"Obviously I did not conduct a real penetration test or anything, just a very quick look. Reviewing their cryptography would require more work," he added.

Tutanota, which offers end-to-end encryption of messages, launched a freebie product aimed at ordinary netizens on 2 July. The announcement was tainted by the usual "NSA-proof" hype, but it was able to reveal its cryptography:

Tutanota encrypts locally in the browser with a standardized, hybrid method consisting of a symmetrical and an asymmetrical key with RSA 2048 Bit and AES 128 Bit. This encryption process takes place automatically between Tutanota users. If a Tutanota user sends an encrypted email to an external recipient, the email is encrypted with AES 128 Bit with the help of a password exchange. Subject, content and attachments are automatically encrypted. The recipient can also answer directly with an encrypted email.

The firm was founded as a spin-off from the L3S Research Center at Leibniz University Hanover in 2012 by three former students. Tutanota is hoping to make money by offering a premium version of its secure email service featuring additional storage and more functionally, making it attractive to businesses.

Tutanota Starter, which is pitched at corporate IT, is an Outlook Addin that encrypts emails directly in Outlook.

The technology has not been subjected to peer review by cryptographers; the sort of people who uncovered flaws in Lavabit, which even Edward Snowden trusted (at least up to a point).

End-to-end encrypted webmail in the browser is a difficult problem to crack. Tutanota is far from the first to come unstuck despite confident claims to the contrary beforehand. Lavabit, ProtonMail, Hushmail et al have all had to backtrack on their respective security claims for one reason or another.

Tutanota claimed it was still ahead of its rivals because it refuses to touch users' unencrypted messages.

"It seems like services like Lavabit and Hushmail had some type of access to the plain text mails, e.g. because the user password was sent to the server," a Tutanota spokesman told El Reg.

"With Tutanota we can not get access to the user's private key because it is stored encrypted on the server. It is encrypted with the user's password and that password is never sent to the server. Decryption of the user's private key takes place on the client."

Without speaking specifically about Tutanota, Roth outlined the general problem many secure mail services face in living up to their lofty promises.

"The problems that generally all installation-less 'secure mailers' have persists though: if the server is hacked it can just send over malicious JavaScript to get the password and/or e-mail contents from the user," he told El Reg. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.