Vulnerability disclosure for Tutanota
We fixed a vulnerability within one day of notification.
All Tutanota apps (web, desktop, Android, iOS) version 3.112.5 were vulnerable to the HTML attribute injection that we explain in more detail below.
The vulnerability is fixed and the vulnerable apps versions have been disabled and can’t be used anymore.
Details of vulnerability
App version 3.112.5 introduced displaying the mail subject in the header of the app. This was done by setting a title
for a component displaying that app section. The same title is used as an accessibility ARIA title for that view
via aria-label
attribute. The code was utilizing mithril’s hyperscript capabilities to add ARIA attributes via a
single selector string. The selector string was crafted in an unsafe manner which made it possible to manipulate the
selector and therefore HTML attributes by using a specifically crafted email subject.
The vulnerability was fixed by using an attributes object instead of encoding attributes in a mithril selector.
Impact
We are not aware of any incident where the vulnerability was exploited.
No action is necessary from your side.
Timeline
- 03-04-2023 Vulnerable version is released
- 06-04-2023 Reports regarding mail are received, the vulnerability is patched, patched version is released
- 09-05-2023 Vulnerable version is marked as outdated
- 25-05-2023 Vulnerable version is disabled
Open Source increases level of security
We have always stressed the fact that open source tools are more secure than closed source applications. The code of open source clients can be inspected by the security community to make sure that the code is free from bugs, vulnerabilities and backdoors.
Though unfortunate, the vulnerability we describe above shows that this is actually true. While closed source code might have similar issues, users might never find out about this.
We are glad that security experts as well as our users are looking at our code and report issues.
It motivates us to work even harder on improving Tutanota!