Unpatched RainLoop Webmail Enables Theft of Emails – GovInfoSecurity.com

Email Security & Protection , Fraud Management & Cybercrime , Incident & Breach Response

Researchers Have Identified a Cross-Site Scripting Vulnerability

Unpatched RainLoop Webmail Enables Theft of Emails
Attackers gain full control over a session if an email is viewed. (Source: RainLoop website)

Researchers have uncovered a code vulnerability in RainLoop, an open-source webmail client used by several organizations to exchange sensitive messages and files via email. Security researchers at SonarSource say that this vulnerability allows attackers to steal emails from the inboxes of victims.

See Also: Live Webinar | The Great Crypto Migration: Best Agency Practices for Mitigating Risk

As described by Simon Scannell, a vulnerability researcher at SonarSource, an attacker can exploit the code vulnerability simply by sending a malicious email to a victim that uses RainLoop as a mail client.

Uncovering the Vulnerability

“When the email is viewed by the victim, the attacker gains full control over the session of the victim and can steal any of their emails, including those that contain highly sensitive information such as passwords, documents, and password reset links,” Scannell says.

The discovered code flaw is a Stored Cross Site-Scripting, or XSS, vulnerability tracked as CVE-2022-29360 and affects version v1.16.0 of RainLoop, which was released in May 2021.

A Stored XSS occurs when a malicious script is injected directly into a vulnerable web application.

At the time of writing, Scannell says that no official patch is available, and the vulnerability can be exploited in any RainLoop installation that runs with default configurations.

“An attacker who knows the email address of an employee of a targeted organization can send the victim a maliciously crafted email. When it is viewed in the webmail interface, it executes a hidden JavaScript payload in the browser of the victim. No further user interaction is required,” Scannell says.

SonarSource says that it first contacted RainLoop about the flaw on Nov. 30, 2021, but it received no response. Subsequently, the researchers created a GitHub issue on Dec. 6, 2021, but they say that as yet there has been no response.

Finally, researchers contacted RainLoop on Jan. 1, 2022, via email and the GitHub issue, to inform it about the 90-day disclosure policy, but still there was no response from the vendor.

A spokesperson for RainLoop was not immediately available to comment.

Technical Details

Scannell says that RainLoop’s back end is a PHP application, which acts as a proxy between a user and their mail server. “Similar to mail clients, such as Thunderbird, it enables a user to log into a mail server, fetch emails, view them, and send emails,” he says.

“SonarSource researchers have sounded the alarm that the vulnerability is exploitable if a victim receives a malicious email. Now the call is out for defenders to adapt, innovate faster and thrive. Even though a patch doesn’t exist today, the silver lining is that Sonar has developed a patch that will provide organizations with the necessary time to assess if RainLoop is a risk to them,” Sam Curry, chief security officer at Cybereason, tells Information Security Media Group.

Since RainLoop is a web application, it renders incoming emails to HTML code, Scannell says. The application also needs to ensure that the rendered HTML code is validated and does not contain any unsafe links or malicious components.

Scannell describes how RainLoop deploys the given flow to achieve this:

  • Receive untrusted HTML code from the mail server.
  • Create an instance of the built-in DOMDocument class in PHP, which parses HTML into a tree structure of HTML elements and their attributes.
  • Depending on the configuration, allow or deny any dangerous contents in the tree structure.
  • Convert a sanitized tree structure of the DOMDocument into HTML code.

“Intuitively, it makes sense to analyze the code that attempts to remove any dangerous HTML code […] and find a weakness inside of that code to bypass the sanitizer. However, our experience has shown there are often logic bugs after the sanitization steps have been performed. From the security researcher’s point of view, they are much easier to spot and are often overlooked by developers,” Scannell says.

Researchers recommend that developers do not modify any data once it has been sanitized, as that could reverse the sanitization step.

Scannell also recommends working with a DOM tree object instead of operating on HTML text, which leaves much more room for mistakes.

Critical Issues

Avishai Avivi, chief information security officer at cybersecurity firm SafeBreach, says that based on the available information, it seems that the RainLoop product is no longer actively maintained or supported.

Avivi says that highlights three issues for which the vendor is responsible: legacy code, technical debt and third-party risk management.

“While, arguably, RainLoop is offered as a free version, it probably did sell in the past. There is no explicit indication that the product is no longer maintained or supported. The responsible action by the RainLoop team would have been to indicate this so that users avoid downloading, installing and using a tool that is no longer maintained,” Avivi says.

Many companies deal with legacy code and technical debt issues. Avivi says companies may have multiple reasons for not addressing the issue of old codes and products that have fallen out of support. But, he says that as a result, the problem tends to grow rather than to go away.

“This does have the potential to blow up when a vulnerability is found and there is no one left in the company that can address it,” Avivi says.

He says that companies must consider the risk of leveraging software or code from open sources and must account for any critical dependencies on such code and address them in relevant business continuity considerations.

Source of this news: https://www.govinfosecurity.com/unpatched-rainloop-webmail-enables-theft-emails-a-18948

Related posts:

A multi-suckling system combined with an enriched housing environment during the growing period prom...
Established principles of laboratory animal use and care and the Dutch law on animal experiments were followed. They comply with the European Directive 2010/63/EU on the protection of animals used fo...
9 (More) Ways To Access Blocked Websites 2021 Tips - BollyInside
This blog is about the 9 (More) Ways To Access Blocked Websites. We will try our best so that you understand this guide . I hope you like this blog 9 (More) Ways To Access Blocked Websites. If your a...
Network Server Management: LogicMonitor vs. ManageEngine OpManager | ENP - EnterpriseNetworkingPlane...
A server is a computer or system that is designed to behave as a repository and provide computing resources, services, data and programs to other computers (clients) connected to the network. Technic...
The impact of Apple iOS 15 launch on email marketers - The Financial Express
Marketers have to find new ways to identify preferencesBy Raviteja DoddaFor long, this is the challenge that marketers have been grappling with – how to make subscribers open the mail and how to give...
The Stock Market Is At An Important Inflection Point - FX Empire
Within my latest piece discussing the merits of deflation, I briefly touched on how several leading economic indicators appear to be signally growth may have peaked for the time being. Whilst these b...
How to Install VS Code-Server on AlmaLinux | Rocky Linux 8 - H2S Media
Install Code-Server on Almalinux 8 or Rocky Linux 8 server to run VS Code using Web browser with the help of command terminal and script. Microsoft Visual Studio Code is a free editor for various...
Mutual TLS: Vital for Securing Microservices in a Service Mesh - Security Boulevard
Mutual TLS: Vital for Securing Microservices in a Service Meshbrooke.crothersThu, 04/28/2022 – 16:10 Why do you need mTLS? While TLS is being used to secure traffic between clients and servers on t...
VPN Proxy Master Provides Internet surfers With World-Class Security Areas Changing Cybersecurity En...
VPN Myspace proxy Master is definitely a safe, no-log VPN because of the world’s best security has got specifically designed to protect the online stability of its users. Because a user’s personal...
Deutsche Bank AG (DB) Q3 2021 Earnings Call Transcript - The Motley Fool
Image source: The Motley Fool. Deutsche Bank AG (NYSE:DB)Q3 2021 Earnings CallOct 27, 2021, 7:00 a.m. ETContents: Prepared Remarks Questions and Answers Call Participants Prepared Rema...
Proxy Services Are Not Safe. Try These Alternatives - Wired
Millions of people across the world use free proxy services to bypass censorship filters, improve online security, and access websites that aren't available in their country. But an analysis has foun...
Cyberattacks increased 17% in Q1 of 2020, with 77% being targeted attacks - Security Magazine
<!-- Cyberattacks increased 17% in Q1 of 2020, with 77% being targeted attacks | 2021-07-16 | Security Magazine This website requires certain cookies to ...
Online Nirvana Creates New Metadata Automation Platform for Experienced Interplay - Sports Media pla...
Story Highlights Digital Nirvana has publicized MetadataIQ, a new metadata mécanisation tool for content firms using the Avid media operating system. A secure and global software-as-a-service (S...
Building Networks on the Fly - IEEE Spectrum
By the early 1990s, IBM and Hewlett-Packard, as well as Canon, Hitachi, Ricoh, and other large makers of office equipment, had realized that customers expanding their networks with new copiers and o...
How to Utilise Instagram Proxies 2022 Tip - BollyInside
This tutorial is about the How to Utilise Instagram Proxies. We will try our best so that you understand this guide. I hope you like this blog How to Utilise Instagram Proxies. If your answer is yes ...
What are Web Crawlers and How do They Work? - hackernoon.com
@gabijafateGabija FatenaiteHas approximate knowledge of many thingsWeb crawlers, also known as spiders, are used by many websites and companies. As an example, Google uses several of them too. In the...
Vulnerability Could Expose HAProxy to HTTP Request Smuggling Attack | eSecurityPlanet - eSecurity Pl...
A critical vulnerability discovered in the open-source load balancer and proxy server HAProxy could enable bad actors to launch an HTTP Request Smuggling attack, which would let them bypass security ...
Blackmagic Design DaVinci Resolve 18 with Cloud-Based sharing & more - Newsshooter
Share this article Blackmagic Design today announced DaVinci Resolve 18, a major new cloud collaboration update that allows multiple editors, colorists, VFX artists, and audio engineers to work...
What to do if the camera keeps spinning in Valheim - WindowsReport.com
by Sinziana Mihalache Author Sînziana loves getting people to better understand products, processes, and experiences beyond a simple user guide, either in writing or making use of images...

IP Rotating Proxy Onsale


First month free with coupon code FREE30