Update September 20th 2023: Sonar published a blog post on this vulnerability, also on Protonmail and Skiff.
The Sonar team explicitly praised the Tutanota team for how exceptionally well we at Tutanota handled this security issue - while they did not praise our competitors. Which is true: To date, we’re fixed all reported vulnerabilities within a few days, oftentimes within one day of notification.
The Sonar team concluded their post with these words:
“Big kudos to the Tutanota team for handling our report exceptionally well. They fixed the vulnerability in two days, implemented further hardening measures to stop similar vulnerabilities from being exploitable in the future, and disabled affected clients.
They also released a transparency blog post for their users that covers the relevant details of the vulnerability, explains how the vulnerability was handled, and what they plan to do to improve the security of their product further. This proves that the Tutanota team greatly cares about the security of their users; we would love to see more of this!”
What happened?
On June 22nd 2022 we received a security advisory from Paul Gerste, Sonar, informing us of a cross-site scripting (XSS) vulnerability in Tutanota which affected all clients, and a remote code execution (RCE) vulnerability which affected just the desktop clients. Both vulnerabilities have been fixed immediately and a patch was released in version 3.98.1 on June 24th 2022.
The XSS vulnerability enabled an attacker to extract information from Tutanota by crafting a malicious email which would be able to bypass our sanitization, causing foreign JavaScript code to be injected into the app and executed. The RCE vulnerability enabled an attacker to execute programs on a user’s system via the desktop client (this was demonstrated using Windows, but may have been possible on other operating systems), in which they take advantage of the XSS and use it to download and execute a malicious attachment.
What actions have we taken?
Two days after being informed about the vulnerabilities, we have released a patch in version 3.98.1 which puts the urlify call before the sanitization, fixing the immediate problem of the XSS.
In addition, we have implemented changes to harden the security of the application, which are mostly released already or will be released with the next update:
-
Using a shadow DOM to render mail bodies, ensuring that any styles that somehow survive sanitization will not leak to the rest of the app
-
Handling the edge case with looksExecutable
-
Improving CSP in electron and restricting which files can be accessed
-
Randomizing the name of the temporary directory, to ensure that attachment locations cannot be predicted by an attacker
Please be aware that an additional hardening of the security in an upcoming release will require that local search indexes be deleted on the desktop clients and mobile apps. This index is automatically created again with your next search. Check here how to improve your search results.
Affected clients disabled
All affected clients have been disabled. We are not aware of any incidence where a malicious attacker has taken advantage of these vulnerabilities.
It is not required to change your password or recovery code. However, if you decide to do so, please read our recommendation on how to best protect your login credentials.
Transparency and security
At Tutanota we believe that transparency and security are closely interlinked. That’s why we believe it is important that we inform you about this fixed vulnerability, also via email.
To prevent similar issues in the future, we have taken the following steps:
-
We implemented several technical improvements in Tutanota which prevent exploitation in the unlikely event of future XSS vulnerabilities.
-
We added regression tests for these improvements to our internal security review guidelines.
-
We emphasized security reviews of changes to the handling of user content as part of our normal code review process.
Open Source increases level of security
We have always stressed the fact that open source tools are more secure than closed source applications. The code of open source clients can be inspected by the security community to make sure that the code is free from bugs, vulnerabilities and backdoors.
Though unfortunate, the vulnerabilities found by Sonar prove that this is actually true. While closed source code might have similar issues, users might never find out about this.
We would like to thank Sonar for responsibly disclosing the cross-site scripting vulnerability in Tutanota 3.98.0.
All reported issues were subject to a 90-day disclosure deadline, after which Sonar said they would make parts of the issue public. We are happy that we were able to fix the addressed issues much faster, in fact within two days.
In our email communication with Sonar, vulnerability researcher Paul Gerste even said “Kudos to you and your team, you seem to take the security of your product seriously!”
We are very happy about this feedback from a security expert. It motivates us to work even harder on improving Tutanota!