Keeping Email Safe from the ROPEMAKER Vulnerability

In late August, a security advisory was published regarding a newly discovered exploit affecting email providers.The issue, dubbed as “ROPEMAKER”, stands for “Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky”.

The attack is an interesting one so our security team took a closer look at it. The RopeMaker technique allows an attacker to visually modify a HTML email, sent by the attacker, even after it’s been delivered. In some cases, RopeMaker can also be used to modify the HTML code of an email as well. For example, an attacker could change a good link into a malicious link, or edit the body of an email at will, all without access to the mailbox, and even after the email has been delivered.

Based on the security advisory, Outlook, Apple Mail, and Mozilla Thunderbird are/were vulnerable to this issue. Unfortunately, there’s no fix that you can make yourself to prevent this attack if you’re using one of these email applications. You’ll instead have to wait for these services to patch their systems.

How it Works

The main requirement for achieving a successful RopeMaker attack is when the email client allows remote CSS files to be rendered. The remote CSS file acts as a “modification backdoor” for the attacker/sender in the RopeMaker technique.

RopeMaker and ProtonMail

After analyzing the security advisory, we immediately performed an internal review of our CSS rendering processes. We can confirm that ProtonMail is not affected by the RopeMaker technique, and was not previously affected by it. However, we will be doing some additional development in order to further harden ProtonMail against future, not-yet-discovered exploits which may leverage some of the same techniques as RopeMaker.

At ProtonMail, we are serious about being the most secure email provider. A large part of ensuring a safe email experience is through engineering with security and privacy as the core principle, and not as merely an afterthought. However, even then, there is no such thing as 100% security, so providing the safest email service also requires active monitoring of the latest security threats to emerge.

As part of our email security efforts, our internal security team monitors numerous security mailing lists, forums, and other locations with relevant online chatter in order to identify and block threats before they can be exploited. In addition to our extensive internal efforts to protect ProtonMail users, we also host a bug bounty program to work with security researchers around the world in improving the security state of both ProtonMail and ProtonVPN. Through leveraging the expertise of the global security community, we can ensure that ProtonMail is as safe as possible.

Best Regards,
ProtonMail Security

About the Author

Mazin Ahmed

Mazin is a security researcher who specializes in web-application and mobile-application security. He is passionate about information security and has previously found vulnerabilities in Facebook, Twitter, Linkedin, and Oracle to name a few. Mazin is a member of the ProtonMail Security Team.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

2 comments on “Keeping Email Safe from the ROPEMAKER Vulnerability

  • This is good news.

    OT, but in the past week or so, I’ve twice gotten errors when trying to login, appearing on the login screen, indicating that the protonmail servers are unreachable. Is this becoming a frequent occurrence? being looked into at all?

    Reply