Some Email Clients Are Vulnerable To Attacks Via 'mailto' Links

A lesser-known technology known as "mailto" links can be abused to launch attacks on the users of email desktop clients. From a report: The new attacks can be used to secretly steal local files and have them emailed as attachments to attackers, according to a research paper published last week by academics from two German universities. The "vulnerability" at the heart of these attacks is how email clients implemented RFC6068 -- the technical standard that describes the 'mailto' URI scheme. Mailto refer to special types of links, usually supported by web browsers or email clients. These are links that, when clicked, they open a new email compose/reply window rather than a new web page (website). RFC6068 says that mailto links can support various parameters. When used with mailto links, these parameters will pre-fill the new email window with predefined content.

Lesser-known technology?!

[DontBeAMoran]

A lesser-known technology known as "mailto" links can be abused to launch attacks on the users of email desktop clients.

If you were not aware of mailto links before today you really have no business reading Slashdot. That's extremely basic HTML.

Re:

[CastrTroy]

Yeah, but there's a lot of people who do tech related stuff that has nothing to do with HTML. Some people are only into hardware. Some people do desktop application programming. Even many newer web developers may have never used mailto: links because they don't work because a huge proportion of web users use web-based email and this functionality doesn't work (although it could, but it just doesn't by default).

Re:

[CaptainDork]

Depends on your default email client.

If I was browsing and hit that link, it would launch a browser tab to log in to my web-based gmail account.

Re:

[CastrTroy]

It depends on what ther web-mail provider was and if they set up their browser to work with mailto: links. When I click on mailto: links in Firefox, it brings up the Microsot Mail app, even though I have never used this app for actually reading my email. It just brings up the setup page. In Chrome it just brings up a dialog, asking which app I want to open, and none of the options actually bring me to my GMail account with the message set up. I imagine that many users would be in the same situation.

Re:

[LenKagetsu]

Because mailto: has nothing to do with HTML

Re:

[93 Escort Wagon]

I would argue there's a certain minimum level of broad tech knowledge that "tech people" should have - and the fact that "mailto" links exist (and have, since the dawn of the public world wide web) is part of that.

Re:

[LucasBC]

Actually, many people who know about basic "mailto" links don't know there are other headers you can specify as query parameters.

Not standard

[The MAZZTer]

I don't see the "attach" parameter that was claimed to be abused in the spec. The blame falls on the e-mail clients for adding security holes disguised as "features". Allowing attachments makes sense only when the origin providing the link also provides the attachment.

Re:Not standard

[93 Escort Wagon]

Yup, exactly. And I would argue the spec implicitly covers this. From RFC6068 itself:

4. Unsafe Header Fields

      The user agent interpreting a 'mailto' URI SHOULD NOT create a
      message if any of the header fields are considered dangerous; it MAY
      also choose to create a message with only a subset of the header
      fields given in the URI. Only a limited set of header fields such as
      Subject and Keywords, as well as Body, are believed to be both safe
      and useful in the general case. In cases where the source of a URI
      is well known, and/or specific header fields are limited to specific
      well-known values, other header fields MAY be considered safe, too.

      The creator of a 'mailto' URI cannot expect the resolver of a URI to
      understand more than the "subject" header field and "body". Clients
      that resolve 'mailto' URIs into mail messages MUST be able to
      correctly create [RFC5322]-compliant mail messages using the
      "subject" header field and "body".

Re:

[CaptainDork]

No.

Some courts, for instance, have strict rules.

"Create a document named "pleading_08_20_2020_Stanley_Matter.docx and place it in the Documents folder. Then click on this mailto: link we provide."

Re:

[PPH]

strict rules

OK. I did that. And all I got was a blank Compose window. Because my e-mail client doesn't take input parameters. But I'm just a lawyer (not really) and I have no clue as to what should be happening. Enjoy your empty e-mails.

I actually have a friend who is a lawyer. And she has stuck with Word for DOS. Because it's the only thing that doesn't have so many configuration options and other garbage that she knows the court will get the right thing. (Wait, what? Submittals are not to be done in DingBats font?)

Re:

[AK Marc]

I can see someone putting this in for support.

"Please send us the support file for troubleshooting" "What's a file"

"Please click the link to open an email with the support file attached and click send" "OK"

Email is extreamly outdated technology.

[jellomizer]

Email in general is just a miserable technology for 2020. Built in the days were email was mostly across college universities, and a sysadmin knew where each IP Address came in from and to, as there are probably less than a hundred different email servers talking to each other.
Then it grew and became more popular. It can no longer me managed by a wise sysadmin, who can keep an eye on the traffic, and stop riff raff on the spot. The protocol is way too open, and the modern updates are more hacks than anyt

Re:Email is extreamly outdated technology.

[Anonymous Coward]

If there's one thing that the censorship campaigns carried out by Youtube, Facebook, and Twitter have shown us, it's this: We need more decentralized technologies, not less.

Re:

[jellomizer]

But why can't we have secure decentralized technology?

There are other methods than just the Gatekeeper approach to these problems.
Just off the top of my head if I were to rebuild email.
I would have a Hashkey for each email user. A haskey for each domain address. And a hashkey for each new message. Responses and forwards would use that same hashkey.

The email server and/or the client. can be configured to whitelist/blacklist known hashkeys. Put in a review bin for new ones, in which it can be manually revie

Re:Email is extreamly outdated technology.

[Tony Isaac]

It's not for lack of trying to make something better than email.

Texting is nice, but it's too brief for many purposes, and you can't really use your "inbox" as a to do list.
Slack thinks we should all use their software as a replacement for email, but like texting, it's good for chatting, but not so good for messaging that is more deliberate than a casual chat.
Then there is Teams, and Skype, and Facebook Messenger, and WhatsApp, and so on. But they all suffer from the same limitations as Slack. And besides, who wants to trust the whole world's communication with a single vendor?

Email may be antiquated, but it works. Sure, it has problems, but what messaging platform doesn't? Email isn't going anywhere any time soon, just like IPv4.

Re:

[flyingfsck]

With this fix in the works, I think I can hear some deep sighs in the NSA and FSB, since they had it so easy until now.

Re:

[Kejiro]

. And besides, who wants to trust the whole world's communication with a single vendor?

I think this, is the real problem with the new technologies. Email has the benefit of being a well-known open standard, while most messaging companies/applications wants the users to be locked in to use only their own products.

Nothing stops you from setting up your own mail-server (except for the anti-spam measures from the larger providers making it difficult, but that's an entirely different problem), but try setting up your own Skype or Slack, or write your own client connecting to those.

Re:

[Ronizzy]

This is really so, some emails are subject to attacks and numerous hacking, I use outlook webmail owa [slashdot.org] which provides me with additional protection in the form of outlook two factor authentication which generates a one-time password using universal tokens, on top of the main password.

View as plain text.

[fahrbot-bot]

I always view my mail in Thunderbird as Plain Text and only switch to Simple HTML if required to actually read the damn thing.

Re:

[El_Muerte_TDS]

I just use Mutt, and if the text/plain is fucked up because the sender can't be bothered to that properly, I let Mutt hand it over to elinks for the text/html version.

Re:

[gweihir]

Ah, I see you beat me to it. Mutt seems to still be a favorite of people with a clue.

Re:

[gweihir]

I use mutt. It does not have a crappy "web mode" that comes with all sorts of security problems. For HTML in, I convert to text and answer with that.

Re:

[antdude]

I really hate it when HTML e-mails are unreadable in plain text format. :(

Which email clients?

[awwshit]

For those that don't RTFA

Evolution, the default email client for the GNOME desktop environment on Linux (see CVE-2020-11879)
KMail, the default email client for KDE desktop environments on Linux (see CVE-2020-11880)
IBM/HCL Notes on Windows (see CVE-2020-4089)
Older versions of Thunderbird on Linux (now patched)

Re:

[mathiasb]

So, no users were affected.

security

[Mr.Bosski]

Your security boundary should extend beyond the device on which you are communicating with another. In other words, do the encryption/decryption on another device entirely and copy the encrypted text only from/to your communication device. PITA, but these flaws are just another collection that have been found after the last two sets found in the past.

Still better than usps mail.

[zawarski]

At least they aren't removing your email client and shutting down smtp servrers.

Eudora 7

[WhoBeDaPlaya]

I feel old as a longtime and current user of Eudora 7...

Re:

[WallyL]

Members of my family still use the old Eudora notification sound effect within Thunderbird. I was under the impression Eudora wasn't available anymore. Are you running Eudora on anything akin to a modern system?

Re:

[The Insane One]

Best. Client. EVER!