Fixed potential hard-to-execute XSS vulnerability in Tutanota.

The vulnerability enabled an attacker to extract information from the Tutanota web app if a user

• received a malicious SVG inline image via email,
• dragged the image from the mail viewer into the address bar of their Firefox browser,
• right clicked the image, selected "open in new tab" from the context menu and then selected the address bar in that new tab and pressed the enter key.

No attempts to exploit the vulnerability are known to date.

We regret of having to inform you about this issue. At Tutanota we focus on security, thus, publishing all details about security relating issues is part of our strict transparency policy.

Timeline

• User reported vulnerablity on Apr 27th, 2022
• We merged the fix to master on May 4th, 2022
• We immediately released the fix to production on May 4th, 2022
• We informed our users about the vulnerablity on May 5th, 2022

What was the vulnerability about?

The Tutanota web app up until version 3.95.4 was vulnerable to a hard-to-execute XSS attack that required active participation of the user.

Tutanota emails can contain inline images and support the SVG (scalable vector graphics) format. SVG is a text format that can (but shouldn't) contain JavaScript code. Such code normally does not get executed by browsers.

Current Firefox versions execute such code in the context of the Tutanota web app in very specific situations. If

• The user drags the image from the mail viewer into the address bar of their Firefox browser.
• The user right clicks the image, selects "open in new tab" from the context menu and then selects the address bar in that new tab and presses the enter key.

Malicious SVG images could extract information from the Tutanota web app this way.

This vulnerability is fixed in version 3.96.1. Tutanota updates automatically in the Firefox browser so all users should have the up-to-date version by now.

How did we fix the issue?

We now analyze all inline images client side and apply industry-standard sanitization with DOMPurify to the ones reporting as SVG images before displaying them in the web app.

For security reasons, we replace any SVG image that doesn't parse correctly as a utf-8 encoded SVG document with an empty document for the purpose of displaying it. This replacement also affects SVG documents that are technically benign and valid, but saved in another character encoding than utf-8.

The false-positive rate should be small because the vast majority of SVG should be encoded in utf-8. The sanitization only affects the way the SVG is displayed, it is still possible to download the original, unsanitized inline image from the mail viewer as usual.

Do I need to change my password?

The found vulnerability was only possible to be exploited if you dragged a malicious SVG from a Tutanota email into the Firefox address bar. It is highly unlikely that any of our users could have been affected by this XSS attack.

Therefore, there is no need to change your password.

If you believe someone might have gotten hold of your password, please change your password and update your recovery code, both under Settings -> Login.

It is important to also update your recovery code if you believe someone has stolen your password because with the password they could have changed your recovery code to maliciously take over your account at a later time.

Open source and transparency

We would like to thank the user who reported this hard-to-execute vulnerability to us. This again proves why it is important that we have published our entire code as open source.

With the code being open source, anyone can check our code and report potential vulnerabilities to us. While we strive for maximum security and commence regular security reviews, there is never a hundred percent guarantee for security. That's why it is important that others check our code as well.

We are committed to full transparency and always publish details about vulnerablities after we have fixed them.