Mimecast Exposes An Insidious And Potentially Dangerous Email Vulnerability – Forbes
Imagine that the content of an email could be changed by the sender after it had been received and read by the recipient. In addition, imagine that the changes could be made from a remote site without direct access to the recipient’s computer or email browser. Imagine the damage that could be done. A benign link could be changed into a malicious one. The terms of an agreement could be modified after the fact. Incriminating or suspicious information could be planted.
Now, forget about imagining because you don’t have to. Francisco Ribeiro discovered how it can be done while he was a security engineer at email and data security company Mimecast (he has since moved to Google). Mimecast calls it ROPEMAKER.
ROPEMAKER takes advantage of functionality that is built into HTML email, specifically, the use of cascading style sheets (CSS) in HTML documents. CSS typically contain information about the format and layout of a document such as a webpage or an email. They allow web designers to separate the content of a webpage from the way the page looks, and manipulate each independently of the other.
CSS play an essential role in allowing web pages like this one to present a rotating series of ads to predefined locations on the page while the body of the article remains unchanged. The CSS is located on a remote server and changes made to the sheet appear in the document shown on the screen.
Ribeiro worked out a method for coding text as format or layout data in a CSS. Because the text message in the body of the email is part of the CSS, it can be changed from the remote server at any time. Mimecast provides examples of changing a benign URL to a malicious one, and changing a blank email to one that says whatever the sender wants it to say after it has been received.
Mimecast examined a range of email delivery systems to determine which ones are vulnerable to ROPEMAKER. Webmail systems such as Gmail, Yahoo mail, Outlook.com and icloud.com are not affected by ROPEMAKER. Email clients that reside on the user’s hardware like Mozilla’s Thunderbird and the desktop and mobile versions of Outlook and Apple Mail are vulnerable. Vulnerable systems can be protected by disabling HTML email and only allowing email to render in plain text. It’s ugly, but it works.
Mimecast has detected no cases of ROPEMAKER operating in the wild. Nevertheless, Mimecast thought ROPEMAKER’s potential for harm was serious enough to bring it to the attention of the primary email client vendors late last year. Thus far, none of the vendors have recognized ROPEMAKER as a vulnerability that requires action on their part to protect their users. Mimecast doesn’t agree, and has built ROPEMAKER protection into their security software.
The best possible outcome for ROPEMAKER is that this is the last you’ll ever hear of it because malicious actors don’t use it for nefarious purposes. However, a defense that rests on hoping the bad thing doesn’t happen is no defense at all. Mimecast hopes that making their work on ROPEMAKER public will motivate security specialists to develop real defenses so that if ROPEMAKER appears in the wild it can be countered quickly.