The vulnerability enabled an attacker to extract information from the Tutanota web app if a user
No attempts to exploit the vulnerability are known to date.
We regret of having to inform you about this issue. At Tutanota we focus on security, thus, publishing all details about security relating issues is part of our strict transparency policy.
The Tutanota web app up until version 3.95.4 was vulnerable to a hard-to-execute XSS attack that required active participation of the user.
Tutanota emails can contain inline images and support the SVG (scalable vector graphics) format. SVG is a text format that can (but shouldn't) contain JavaScript code. Such code normally does not get executed by browsers.
Current Firefox versions execute such code in the context of the Tutanota web app in very specific situations. If
Malicious SVG images could extract information from the Tutanota web app this way.
This vulnerability is fixed in version 3.96.1. Tutanota updates automatically in the Firefox browser so all users should have the up-to-date version by now.
We now analyze all inline images client side and apply industry-standard sanitization with DOMPurify to the ones reporting as SVG images before displaying them in the web app.
For security reasons, we replace any SVG image that doesn't parse correctly as a utf-8 encoded SVG document with an empty document for the purpose of displaying it. This replacement also affects SVG documents that are technically benign and valid, but saved in another character encoding than utf-8.
The false-positive rate should be small because the vast majority of SVG should be encoded in utf-8. The sanitization only affects the way the SVG is displayed, it is still possible to download the original, unsanitized inline image from the mail viewer as usual.
The found vulnerability was only possible to be exploited if you dragged a malicious SVG from a Tutanota email into the Firefox address bar. It is highly unlikely that any of our users could have been affected by this XSS attack.
Therefore, there is no need to change your password.
If you believe someone might have gotten hold of your password, please change your password and update your recovery code, both under Settings -> Login.
It is important to also update your recovery code if you believe someone has stolen your password because with the password they could have changed your recovery code to maliciously take over your account at a later time.
We would like to thank the user who reported this hard-to-execute vulnerability to us. This again proves why it is important that we have published our entire code as open source.
With the code being open source, anyone can check our code and report potential vulnerabilities to us. While we strive for maximum security and commence regular security reviews, there is never a hundred percent guarantee for security. That's why it is important that others check our code as well.
We are committed to full transparency and always publish details about vulnerablities after we have fixed them.
No comments available