Cybersecurity specialist Sabri Haddouche has found a collection of vulnerabilities in more than 30 popular email client applications through which hackers can send spoofed emails bypassing anti-spoofing mechanisms.
The set of vulnerabilities, dubbed MailSploit, affects Apple Mail (macOS, iOS, and watchOS), Mozilla Thunderbird, several Microsoft email clients, Yahoo Mail, ProtonMail, and others.
Although most of the affected email client applications have implemented anti-spoofing mechanisms, such as DKIM and DMARC, MailSploit takes advantage of the way email clients and web interfaces parse "From" header.
Email spoofing is an old technique but very successful working that allows hackers to modify email headers and send an email with a forged address to the sender to deceive victims into believing they are receiving that email from another person.
Haddouche says that the lack of input sanitization implemented by vulnerable email clients could lead to email spoofing attack—without actually exploiting any vulnerability in DMARC.
To demonstrate the attack, Haddouche has created a payload by encoding non-ASCII characters inside the email headers, successfully sending a spoofed email from an official address belonging to President of the United States of America.
"Using a combination of control characters such as new lines or null-byte, it can result in hiding or removing the domain part of the original email," Haddouche said.
"We've seen a lot of malware spreading via emails, relying on social engineering techniques to convince users to open unsafe attachments, or click on phishing links. The rise of ransomware distributed over email clearly demonstrates the effectivity of those mechanisms."
In addition to spoofing, the expert found some of the email clients, including Hushmail, Open Mailbox, Spark, and Airmail have also XSS vulnerabilities resulting from the spoofing problem.
Haddouche has reported the spoofing bug of 33 different applications, 8 of which have already fixed it in their products before the public disclosure, and 12 are on their way to patch it.
Mozilla and Opera consider the vulnerabilities a server-side problem and will not be releasing any patch. Some of the companies did not yet comment on the expert`s report.