Vulnerability disclosure for Tutanota

We fixed a vulnerability within one day of notification.

Focus on security: Fixed vulnerability within two days.

On April 3rd a vulnerable version of Tutanota was released. We were notified about the issue three days later by one of our users and fixed it immediately. Now, all affected versions of Tutanota have been disabled and we would like to inform you about the issue for full transparency.


All Tutanota apps (web, desktop, Android, iOS) version 3.112.5 were vulnerable to the HTML attribute injection that we explain in more detail below.

The vulnerability is fixed and the vulnerable apps versions have been disabled and can’t be used anymore.

Details of vulnerability

App version 3.112.5 introduced displaying the mail subject in the header of the app. This was done by setting a title for a component displaying that app section. The same title is used as an accessibility ARIA title for that view via aria-label attribute. The code was utilizing mithril’s hyperscript capabilities to add ARIA attributes via a single selector string. The selector string was crafted in an unsafe manner which made it possible to manipulate the selector and therefore HTML attributes by using a specifically crafted email subject.

The vulnerability was fixed by using an attributes object instead of encoding attributes in a mithril selector.

Impact

We are not aware of any incident where the vulnerability was exploited.

No action is necessary from your side.

Timeline

  • 03-04-2023 Vulnerable version is released
  • 06-04-2023 Reports regarding mail are received, the vulnerability is patched, patched version is released
  • 09-05-2023 Vulnerable version is marked as outdated
  • 25-05-2023 Vulnerable version is disabled

Open Source increases level of security

We have always stressed the fact that open source tools are more secure than closed source applications. The code of open source clients can be inspected by the security community to make sure that the code is free from bugs, vulnerabilities and backdoors.

Though unfortunate, the vulnerability we describe above shows that this is actually true. While closed source code might have similar issues, users might never find out about this.

We are glad that security experts as well as our users are looking at our code and report issues.

It motivates us to work even harder on improving Tutanota!