Vulnerability disclosure for Tutanota

We fixed a vulnerability within one day of notification.

2023-06-12
Focus on security: Fixed vulnerability within two days.
On April 3rd a vulnerable version of Tutanota was released. We were notified about the issue three days later by one of our users and fixed it immediately. Now, all affected versions of Tutanota have been disabled and we would like to inform you about the issue for full transparency.
SIGN UP

All Tutanota apps (web, desktop, Android, iOS) version 3.112.5 were vulnerable to the HTML attribute injection that we explain in more detail below.

The vulnerability is fixed and the vulnerable apps versions have been disabled and can't be used anymore.

Details of vulnerability

App version 3.112.5 introduced displaying the mail subject in the header of the app. This was done by setting a title for a component displaying that app section. The same title is used as an accessibility ARIA title for that view via aria-label attribute. The code was utilizing mithril's hyperscript capabilities to add ARIA attributes via a single selector string. The selector string was crafted in an unsafe manner which made it possible to manipulate the selector and therefore HTML attributes by using a specifically crafted email subject.

The vulnerability was fixed by using an attributes object instead of encoding attributes in a mithril selector.

Impact

We are not aware of any incident where the vulnerability was exploited.

No action is necessary from your side.

Timeline

  • 03-04-2023 Vulnerable version is released
  • 06-04-2023 Reports regarding mail are received, the vulnerability is patched, patched version is released
  • 09-05-2023 Vulnerable version is marked as outdated
  • 25-05-2023 Vulnerable version is disabled

Open Source increases level of security

We have always stressed the fact that open source tools are more secure than closed source applications. The code of open source clients can be inspected by the security community to make sure that the code is free from bugs, vulnerabilities and backdoors.

Though unfortunate, the vulnerability we describe above shows that this is actually true. While closed source code might have similar issues, users might never find out about this.

We are glad that security experts as well as our users are looking at our code and report issues.

It motivates us to work even harder on improving Tutanota!

SIGN UP
Author
Black and white picture of Willow supporting themselves with an arm.
Willow is lead developer at Tuta, focusing on improving Tuta's web client as well as Tuta for Android and iPhone in terms of features and UI. Willow is an expert in all things open source and how to best implement privacy protections in our secure email and calendar platform. Willow likes to explain why open source matters and how to build a great user interface that makes encryption easy.
Top posts
Threat Modeling In 2024: Your Guide For Better Security
10 Best Private Email Services in 2024
Google Pays 1150 Times More for Its Search Monopoly Than for Lobbying in the EU & US
Why Use A Password Manager - And Our Top 3!
Anonymous email: Create an email address without a phone number.
The Illusion Of "Swiss Privacy" Being The Best
10 best free email accounts in 2024
Latest posts
Tuta Mail supports SPF, DMARC and DKIM for best security when using your custom domain.
Don't want Gmail to sift through your emails? Too late, their AI is going to do it.
Why are Google and Facebook free? The answer might be worse than you think.
What is a tech stack and how Tuta makes sure it's secure
Terminate subscription
Company
Community
Team
Jobs
Terms
Privacy
Legal notice
Development
Changelog
Roadmap
Security
Encryption
Open Source
GitHub
Features
Secure Email
Encrypted Calendar
Business
Support
Forum
Press
Support
Language
English
Translate