Top email programs, including Apple Mail on iOS and macOS, Microsoft Outlook and Microsoft Mail for Windows 10, can be fooled by a simple trick that "spoofs" the sender's email address, putting users of those programs at risk from cybercriminals, scammers and identity thieves.
Credit: Mc Satori/Shutterstock
Lots of people try to spoof emails; just have a look at any of the poorly written messages in your spam folder that claim to be from Microsoft. However, you can usually tell where a suspicious message really comes from by inspecting the sender's details. Spoofing an email convincingly takes more effort.
Thanks to a new vulnerability known as Mailsploit, not only could a cybercriminal fool many email clients effortlessly, but a particularly malicious email address could even run malware right from the "sender" line of an email message. Sabri Haddouche, a security researcher with Swiss secure-messaging company Wire, discovered the exploit and put details of it up on a dedicated website. (The site's got a demo by which you can send yourself a test email and see how the exploit works.)
Before you panic, though, be aware that your email client might not be susceptible to Mailsploit — and even if it displays spoofed addresses, it may not be able to run malicious code. Haddouche has compiled a Google spreadsheet listing of affected clients; check to see if yours is one of them. (Microsoft Outlook for iOS and Android is not mentioned — it may be among the redacted listings — but we found that at least the Android variant is affected.)
How to protect yourself varies, depending on the extent to which your client may be compromised. If you look at the spreadsheet and find yourself with "NOs" across the board, you're fine; keep using your email program normally.
The most common situation is that your client is affected by address spoofing, but not by cross-site-scripting (XSS) or code injection. If this is the case, you can simply exercise a great deal of caution if you get a suspicious email from a familiar address, especially if it contains an attachment or hyperlink. You can also check your mail on an unaffected client.
For example, Microsoft Outlook on Windows and macOS is affected, but Microsoft Outlook's web interface is not. Simply by checking your email through a web browser, you'll see a long string of gibberish in the "sender" field rather than a regular email address.
However, if your client is vulnerable to XSS/code injection, that could present a legitimately dangerous situation. If you receive your email through one of these affected clients or web services, which include Mailfence, Spark and Newton, you should start reading your email using another client as soon as possible.
Gmail, which has a perfectly safe client, can receive email forwarded from a wide variety of sources, making it a solid choice if you can spend a few minutes to set up mail forwarding.
Here's how Mailsploit works: Email addresses and subject lines can contain only standard ASCII characters (standard American English letters, numbers, symbols and so forth). Way back in 1992, the Internet Engineering Task Force realized that users might create email addresses and subject lines using non-American English characters and approved a method for those nonstandard characters to be converted into ASCII.
The problem is that not every email client properly implements those character conversions. Some accidentally trip up or behave strangely when they encounter certain characters, and Mailsploit exploits those loopholes.
By carefully crafting nonstandard character strings, a savvy cybercriminal might force the email client to display a harmless email address such as "firstname.lastname@example.org" even though the real email address is "email@example.com\firstname.lastname@example.org". (The client stops reading the email address when it hits "\0".) Haddouche created a video showing the process on an iPhone X.
Security programs set to catch email spoofing might not catch that. An unsuspecting user might think he or she had received an email from the President — or, more realistically, from a friend or family member — and would be more likely to trust links embedded in the email.
Because you can use nonstandard characters to inject code, you could even force an email client to load a compromised website and install malware on a target machine. Simply opening an email from a trusted address would not set off alarm bells in most users' heads, making it an unusually effective vector of attack.
While most affected email clients are working on patches (and some, such as ProtonMail and Yahoo Mail, have already pushed out updates), not every company chooses to take responsibility. Mozilla (Thunderbird) and Opera (Opera Mail) both claimed that the issue exists on the server side, and therefore they are not responsible for providing patches. Granted, neither program is susceptible to remote code injection, but that's still putting a lot of the onus to stay safe on the user.