Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/24/2020
10:25 AM
100%
0%

Email Security Features Fail to Prevent Phishable 'From' Addresses

The security features for verifying the source of an email header fail to work together properly in many implementations, according to a team of researchers.

Three standards for email security that are supposed to verify the source of a message have critical implementation differences that could allow attackers to send emails from one domain and have them verified as sent from a different — more legitimate-seeming — domain, says a research team who will present their findings at the virtual Black Hat conference next month.

Researchers have discovered 18 different ways of fooling the triumvirate of email technologies — Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) — for a subset of email services, including Gmail, and clients, including Microsoft Outlook. While the three technologies should ensure the FROM header of an email cannot be spoofed — for example, stating that the email comes from [email protected] when, in fact, an attacker has sent it from their own mail server — undermines the authentication that the three technologies are designed to provide.

The potential for spear-phishing is significant, says Vern Paxson, a professor at the University of California at Berkeley and one of the researchers investigating the issues.

"This is really sobering because the mindset today [is] if you are using an industrial-strength mail system like Gmail, and it tells you that the message really is from '[email protected],' you are going to believe them," says Paxson, who is part of the trio of researchers who conducted the tests. "And it boils down to the fact they followed the spec, but they just did it in a different way than others may have expected."

The research highlights a major issue with component-based software design, where different development teams create software components to meet certain specifications: When the specifications are not clear, developers will often make a best guess. The resulting software may meet the specification but will react differently to edge cases.

In the current research, Paxson, post-doctoral student Jianjun Chen, and Jian Jiang, the director of engineering at Shape Security, found that the simple act, for example, of including two FROM lines in an email header can result in a mail server verifying the first FROM header while the email client displays the second FROM address. The result? An email sent from an attacker's mail server is verified as coming from a legitimate address, such as [email protected]

"At a high level, this is a general problem, which is that we build complex systems these days out of components that we get from different parties, and those parties can have inconsistencies in really minor ways that turn out to have security implications," Paxson says. "It is not anyone being boneheaded or a specification being sloppy so much as the complexity of the systems we build and the components we use, making security both hard and nasty."

The researchers created three different classes of attacks on 10 popular email providers and using 19 different email clients. The first class abuses the security assumptions of components in the same email server, while the second class exploits inconsistencies between a component on a server and one in a client-side email agent. A third class of weakness allows replay attacks in some cases, allowing attackers to make changes to an email without breaking the authentication.

Every email provider — including Google's Gmail.com, Apple's iCloud.com, Microsoft's Outlook.com, and Yahoo.com — had at least one issue that resulted in mismatched authentication, the researchers found. The FROM header in an email could be modified to include multiple addresses, for example, and iCloud and Gmail would both authenticate on the first address and display the second address.

Other attacks include adding special characters to the HELO or MAIL FROM fields of the header that are handled differently depending on the mail server.

The researchers notified email services of the research, garnering different reactions. Google fixed at least two of the issues immediately and rewarded the researchers bounties for the reports, as did Zoho.com, Mail.ru, Protonmail.com, and Fastmail.com. Other providers thanked the researchers and are analyzing the issues. Microsoft "disregarded our report (which included our paper and a video demoing [one] attack) because the threats rely on social engineering, which they view as outside the scope of security vulnerabilities," the researchers stated in a yet-to-be-published report. And Yahoo apparently misunderstood the attack details.

The research is ongoing. Even with 18 different techniques, Paxson and Chen do not believe they have exhausted the possibilities for attacks. 

"What is worrisome is that I would meet with the research group at Berkeley, and I would duck in every month or so, and [Chen] would have a few more attacks," Paxson says. "I wouldn't think that the paper is complete. It is what we could find in a year. Until we really have good tooling to find these things, I could not say that we have found them all."

Related Content:

 

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Enrico Fontan
50%
50%
Enrico Fontan,
User Rank: Strategist
7/24/2020 | 2:26:35 PM
Social Engineering
The bad news is that Microsoft considers Social Engineering outside the topic of security vulnerabilities.

The mid-range user has to deal with different digital information in his PC workspace and sometimes doesn't have time to check email headers to see if the sender is the correct one.

Vendors need to think like hackers and support the standard end-user as much as possible in order to avoid these types of attacks.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.