Hi Albrecht, On 05/31/2018 10:16:23 AM Thu, Albrecht Dreß wrote:
Hi all, Balsa's Webkit2 (USE_WEBKIT2 is defined) implementation is vulnerable to the EFail [1] attack, as it loads external content *without* user interaction for the cases H4, H5, H14, H15 and H17. The attached patch * completely disables Java and JavaScript, as it should always be considered harmful in emails; * completely disables loading external content without user confirmation. I tested several legitimate HTML messages with embedded and external images; the patch doesn't change their behaviour. I.e. embedded images are displayed, and external content is loaded only after user confirmation. Please note that the patch addresses Webkit2 *only*. I didn't test the other html options, Balsa /may/ still be vulnerable if they are used. Additionally, there /may/ be other backchannels which could be used for an attack with Webkit2. The only really safe option is to disable HTML rendering completely. I also attach a test message (in mailbox format) which contains several HTML parts, each trying to exploit a different method for bypassing remote content blocking. All requests are directed to my personal web page, and I don't collect logs. To test it, just terminate all web applications, run tcpdump (or wireshark) for port 80, and open the message in Balsa or any other mail client… Best, Albrecht. [1] <https://efail.de/efail-attack-paper.pdf>
Many thanks for the patch! Pushed to GitLab. Is this ready for a release? Peter
Attachment:
pgpjl7LtRRtPO.pgp
Description: PGP signature