All Tutanota apps (web, desktop, Android, iOS) version 3.112.5 were vulnerable to the HTML attribute injection that we explain in more detail below.
The vulnerability is fixed and the vulnerable apps versions have been disabled and can't be used anymore.
App version 3.112.5 introduced displaying the mail subject in the header of the app. This was done by setting a title
for a component displaying that app section. The same title is used as an accessibility ARIA title for that view
aria-label attribute. The code was utilizing mithril's hyperscript capabilities to add ARIA attributes via a
single selector string. The selector string was crafted in an unsafe manner which made it possible to manipulate the
selector and therefore HTML attributes by using a specifically crafted email subject.
The vulnerability was fixed by using an attributes object instead of encoding attributes in a mithril selector.
We are not aware of any incident where the vulnerability was exploited.
No action is necessary from your side.
We have always stressed the fact that open source tools are more secure than closed source applications. The code of open source clients can be inspected by the security community to make sure that the code is free from bugs, vulnerabilities and backdoors.
Though unfortunate, the vulnerability we describe above shows that this is actually true. While closed source code might have similar issues, users might never find out about this.
We are glad that security experts as well as our users are looking at our code and report issues.
It motivates us to work even harder on improving Tutanota!