Unpatched RainLoop Webmail Enables Email Theft


Email Security and Protection, Fraud and Cybercrime Management, Incident and Breach Response

Researchers have identified a cross-site scripting vulnerability

Prajeet Nair (@prajeetspeaks) •
April 22, 2022

Attackers gain full control of a session if an email is viewed. (Source: RainLoop website)

Researchers have discovered a code vulnerability in RainLoop, an open source web-based email client used by several organizations to exchange sensitive messages and files via email. Security Researchers at SonarSource claims that this vulnerability allows attackers to steal emails from victims’ inboxes.

See also: Live Webinar | The Great Crypto Migration: Best Agency Practices to Mitigate Risk

As Simon Scannell, vulnerability researcher at SonarSource, described it, an attacker can exploit the vulnerability in the code simply by sending a malicious email to a victim using RainLoop as an email client.

Discover the vulnerability

“When the email is viewed by the victim, the attacker takes full control of the victim’s session and can steal any of their emails, including those containing highly sensitive information such as passwords, documents, and password reset links,” Scannell said. .

The discovered code flaw is a Stored Cross Site-Scripting, or XSS, vulnerability, tracked as CVE-2022-29360 and affects RainLoop version v1.16.0, which was released in May 2021.

A stored XSS occurs when a malicious script is injected directly into a vulnerable web application.

At the time of writing, Scannell says no official patch is available and the vulnerability can be exploited in any RainLoop installation that runs with default configurations.

“An attacker who knows the email address of an employee of a targeted organization can send the victim a maliciously crafted email. When displayed in the webmail interface, it executes a JavaScript payload hidden in the victim’s browser No further user interaction is required,” Scannell says.

SonarSource says it first contacted RainLoop about the flaw on November 30, 2021, but received no response. Subsequently, the researchers created a GitHub issue on December 6, 2021, but they say there has been no response yet.

Finally, the researchers contacted RainLoop on January 1, 2022, via email and the GitHub issue, to inform them of the 90-day disclosure policy, but there has still been no response from the vendor.

A spokesperson for RainLoop was not immediately available for comment.

Technical details

Scannell says RainLoop’s back-end is a PHP application, which acts as a proxy between a user and their mail server. “Similar to email clients, such as Thunderbird, it allows a user to connect to an email server, retrieve emails, view them, and send emails,” he says.

“SonarSource researchers have sounded the alarm that the vulnerability is exploitable if a victim receives a malicious email. Now it’s time for defenders to adapt, innovate faster, and thrive. While there isn’t a fix today, the silver lining is that Sonar has developed a fix that will give organizations time to assess whether RainLoop poses a risk to them,” said Sam Curry, Head of security at Cybereason, Information Security Media Group.

Since RainLoop is a web application, it converts incoming emails into HTML code, Scannell explains. The application must also ensure that the rendered HTML code is validated and does not contain any dangerous links or malicious components.

Scannell describes how RainLoop deploys the given stream to achieve this:

  • Receive untrusted HTML code from mail server.
  • Create an instance of PHP’s built-in DOMDocument class, which parses HTML into a tree of HTML elements and their attributes.
  • Depending on the configuration, allow or deny any dangerous content in the tree.
  • Convert a clean DOMDocument tree into HTML code.

“Intuitively, it makes sense to analyze code that tries to remove any dangerous HTML […] and find a weakness inside that code to bypass the sanitizer. However, our experience has shown that there are often logic bugs after running the sanitize steps. From the security researcher’s perspective, they’re much easier to spot and are often overlooked by developers,” Scannell says.

The researchers recommend that developers not modify any data once it has been cleaned, as this could reverse the disinfection step.

Scannell also recommends working with a DOM tree object instead of operating on HTML text, which leaves a lot more room for error.

critical issues

Avishai Avivi, chief information security officer at cybersecurity firm SafeBreach, says that based on available information, it appears that the RainLoop product is no longer actively maintained or supported.

According to Avivi, this highlights three issues for which the vendor is responsible: legacy code, technical debt, and third-party risk management.

“Although, arguably, RainLoop is offered as a free version, it has likely sold out in the past. There is no explicit indication that the product is no longer maintained or supported. The responsible action for the RainLoop team would have been to point this out so that users would avoid downloading, installing and using a tool that is no longer maintained,” says Avivi.

Many companies struggle with legacy code and technical debt issues. According to Avivi, companies may have several reasons for not fixing old code and products that are no longer supported. But, he says, as a result, the problem tends to get worse rather than go away.

“It has the potential to explode when a vulnerability is discovered and there is no one left in the company who can fix it,” Avivi says.

It says companies must consider the risk of using software or code from open source and must consider any critical dependencies on that code and address them in relevant business continuity considerations. activities.


Comments are closed.