Ropemaker Exploit Allows Attackers to Modify Mails - Tutanota Is Not Affected

Security professionals warn of a new mail exploit that allows an attacker to easily change the content of an email even after it has arrived at a mailbox. This exploit only affects desktop clients such as Apple Mail, Microsoft Outlook, and Mozilla Thunderbird. Tutanota as a webmail client with its own mobile apps is not affected.


The Ropemaker exploit (Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky) can be used by attackers to easily alter the content of a mail, for example swapping a URL with the malicious one. However, it is disputed if this is a new exploit or an exploit at all. Apple argues that they do not need to fix this because users can simply disable the loading of remote content to stop this attack from happening.

According to Mimecast who published details about the exploit on their blog, Ropemaker abuses Cascading Style Sheets (CSS) and Hypertext Markup Language (HTML), both used by desktop clients. “The origin of Ropemaker lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML,” writes Mimecast.

Attack possible after mail was received

The attack can be executed even after the mail has been delivered to the recipient’s inbox, having been checked by spam and security filters. The attacker does not need access to the recipient’s computer or mail application, which makes hundreds of millions of desktop mail clients vulnerable to this attack.

CSS is stored remotely, which allows the attacker to change the content of an email by remotely changing the ‘style’ of an email. The attacker could, for example, alter a URL so that the new URL sends the user to a compromised site designed to

Tutanota not affected

The Ropemaker attack exploits a security hole in the design of desktop clients such as Apple Mail and Thunderbird. Tutanota as a secure webmail application is not affected.

Security is at the heart of Tutanota. However, potential security holes can be found in any web application. That’s why our webmail client as well as our iOS and Android apps are published as open source software. With the code being publicly available, security experts are able to look at the code and notice potential exploits so that any weakness can be patched up quickly.