Industry Updates

New “MailSploit” Allows Email Spoofing

Phishing attacks just got a whole lot easier.

A German security researcher named Sabri Haddouche has recently discovered a set of email vulnerabilities that have been collectively dubbed “Mailsploit.”  At the root, these vulnerabilities stem from the way most email systems interpret addresses encoded with a 1992 standard called RFC-1342.

The standard is that all information in an email header must be an ASCII character. If a non-ASCII character is encountered, it gets converted. Unfortunately, a shockingly large number of email clients (33 and counting) make no effort to check the header afterward for malicious code.

Also, if the RFC-1342 decoded header encountered a null-byte, or two or more email addresses, the only address that would be read would be the one that preceded the null-byte, or the first valid email address encountered.

The email clients vulnerable to this type of attack include:

  • Apple Mail
  • Mail for Windows 10
  • Microsoft Outlook 2016
  • Mozilla Thunderbird
  • Yahoo! Mail
  • AOL Mail

And many others, but Haddouche notes that Gmail is unaffected by the exploit.

There are two ways a hacker can use Mailsploit. First and most obvious to the eye is the fact that it can be used to spoof an email address, making it appear to be from someone you know, which, of course, has the impact of making it much more likely that you’ll click on any links embedded in the body of the message.

Secondly, and potentially even more troubling, is the fact that the exploit can be used to inject malicious code directly onto the recipient’s machine, which can easily give the hacker sending the email full control of the target’s system.

Worst of all, though, is the fact that while Haddouche contacted all of the companies found to offer vulnerable email clients, only eight of them have released a patch to correct the issue. Twelve vendors opted to triage the bug, but gave no information on if or when the issue might be patched, and twelve others made no reply at all.

Mozilla and Opera (both vulnerable) flatly refused to address the problem, which they see as a server-side issue.

Your IT staff’s job just got a whole lot harder.