ROPEMAKER technical whitepaper
created on 2017-08-28 01:57:42
a technical whitepaper on a vulnerability affecting popular email clients which allows attackers to arbitrarily modify the perceived content of HTML emails post-delivery
This paper describes some research I did about a year ago on most popular email clients which highlights a weakness that allows attackers to arbitrarily modify the perceived content of HTML emails post-delivery even in the presence of technologies such as PGP and S/MIME.
In this document, I cover the design flaw and some of the offensive techniques enabled by it along with its implications and side effects. With this, I aim to bring a better understanding of the technical aspects of this attack dubbed Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky (ROPEMAKER) and how one can protect against it.
- The views expressed here are mine alone and not those of my employer
- This was presented at the 39th M3AAWG event last February in San Francisco, publicly disclosed on August the 22nd by Mimecast and you can read more about its official release in here
- This is exploratory work, mostly for fun and it's not comprehensive in any way
- Tests were done against recent versions of Microsoft Outlook, Apple Mail and Mozilla Thunderbird running on Mac OS El Capitan / Sierra and on an iPhone 6 / SE with iOS 9 and later on, 10
- Thanks to Mimecast for supporting this work and for being such an incredible place to work
- Also special thanks to my friends who reviewed this paper (Mark, Hugo, Morisson, Tiziano, Geta, Kyriakos and Borja)
- Questions, Feedback and Comments are welcome
ropemaker.pdf - paper (draft)
last modified on 2017-09-02 03:41:46