Did ROPEMAKER just unravel email security? Nah, it's likely a feature
Exploit that changes content of messages after delivery found
A new attack, dubbed ROPEMAKER, changes the content of emails after their delivery to add malicious URLs and corrupt records.
The assault undermines the comforting notion that email is immutable once delivered, according to email security firm Mimecast. Microsoft reckons the issue doesn't represent a vulnerability, a stance a third-party security expert quizzed by El Reg backed.
Using the ROPEMAKER exploit, a malicious actor can change the displayed content in an email, according to security researchers at Mimecast. For example, a hacker could swap a benign URL with a malicious one in an email already delivered to your inbox, or simply edit any text in the body of an email, as illustrated here.
The exploit works without direct access to a target's inbox. The intersection of email and web technologies, more specifically Cascading Style Sheets (CSS) used with HTML, has also introduced an exploitable vector for email. Attackers would be able to weave their malignant magic after redirecting users to dodgy websites.
Being able to alter CSS and change what's displayed in a message is kind of the whole point of how it works, an independent security expert pointed out. Our man, who asked not to be named, expressed scepticism about Mimecast's research.
To date, Mimecast has not seen ROPEMAKER exploited in the wild. But the security firm has been able to get the trick to work on the most popular email clients and online services. As such, the hack is particularly useful for targeted attacks, which might already be taking place under the radar.
Matthew Gardiner, cyber resilience expert at Mimecast, said that the firm has shown through testing that email using remote resources (such as a remote CSS) is exploitable.
"We can certainly debate whether it is an application vulnerability (thus requiring a patch), an example of the misuse or abuse of an application, or a fundamental design flaw when email and the web were merged," Gardiner said. "I would argue it is all three. When you have a remote resource (like a remote CSS) under the control of an untrusted entity, it opens the door to mischief."
Conveniently Mimecast has been able to add a defence against this exploit for its customers. In the short term, controls in the email clients can mitigate against the threat. The longer-term fix would involve a revision of internet standards and more intelligent security controls at the network and the endpoint, according to Mimecast. ®