Fixed vulnerability in Tutanota

During one of our regular security reviews we have found an XSS vulnerability which has now been fixed.

On February 25 we identified a possible Cross-Site Scripting (XSS) vulnerability on one of our webpages separate to our webmail client, desktop and mobile apps, which deals with processing payment information from our payment provider Braintree. We immediately published a server-side fix to remove the vulnerability and updated clients with the next release.


What happened and what actions have we taken?

The vulnerability was introduced while improving the appearance of an intermediate site displayed during the credit card 3D Secure setup process on January 20. We fixed the vulnerability immediately after identifying it on February 25.

The vulnerability enabled an attacker to craft a malicious link that could leak login credentials.

No attempts to exploit the vulnerability are known to date. Although the vulnerability was introduced on a page that was involved with credit card payments, no payment data has been exposed.

Do I need to change my password?

The found vulnerability was only possible to be exploited because the payment processing was running under our main domain. Because of this, the vulnerability made it possible to get hold of passwords or of session authentications in the browser.

The vulnerability could have been exploited under the following circumstances:

  • You have received and clicked on a link that started with https://mail.tutanota.com/braintree.html between January 20 and February 25 2021.

  • In case you stored your Tutanota login credentials in the browser, the attacker would then have been able to access your password.

  • In case you were logged in in the browser, the attacker would have been able to use your session authentication to access your mailbox until you logged out again.

  • The vulnerability could not have been exploited under any circumstances if you only use Tutanota via our desktop clients and mobile apps.

Please note: The automatic forwarding to our payment processor when you paid for Tutanota never posed a vulnerability.

If you believe someone might have gotten hold of your password, please change your password and update your recovery code, both under Settings -> Login.

It is important to also update your recovery code if you believe someone has stolen your password because with the password they could have changed your recovery code to maliciously take over your account at a later time.

Steps to prevent similar issues

We have taken steps to prevent similar issues in the future:

  • We moved all payment processing to a separate subdomain that does not have access to saved login credentials.

  • We have prohibited the use of patterns that are linked to similar attacks in our coding guidelines.

  • We identified this vulnerability during a regular internal security reviews. We will continue to regularly review our full code base for security issues.

Security review

We have now finished our most recent security review of Tutanota. This security review was part of the process of pushing the Tutanota desktop clients out of beta.

During the review no further severe issues were found. We have identified a couple of minor issues that we are in the process of fixing now.