On June 22nd 2022 we received a security advisory from Paul Gerste, Sonar, informing us of a cross-site scripting (XSS) vulnerability in Tutanota which affected all clients, and a remote code execution (RCE) vulnerability which affected just the desktop clients. Both vulnerabilities have been fixed immediately and a patch was released in version 3.98.1 on June 24th 2022.
What actions have we taken?
Two days after being informed about the vulnerabilities, we have released a patch in version 3.98.1 which puts the urlify call before the sanitization, fixing the immediate problem of the XSS.
In addition, we have implemented changes to harden the security of the application, which are mostly released already or will be released with the next update:
Using a shadow DOM to render mail bodies, ensuring that any styles that somehow survive sanitization will not leak to the rest of the app
Handling the edge case with looksExecutable
Improving CSP in electron and restricting which files can be accessed
Randomizing the name of the temporary directory, to ensure that attachment locations cannot be predicted by an attacker
Please be aware that an additional hardening of the security in an upcoming release will require that local search indexes be deleted on the desktop clients and mobile apps. This index is automatically created again with your next search. Check here how to improve your search results.
Affected clients disabled
All affected clients have been disabled. We are not aware of any incidence where a malicious attacker has taken advantage of these vulnerabilities.
It is not required to change your password or recovery code. However, if you decide to do so, please read our recommendation on how to best protect your login credentials.
Transparency and security
At Tutanota we believe that transparency and security are closely interlinked. That's why we believe it is important that we inform you about this fixed vulnerability, also via email.
To prevent similar issues in the future, we have taken the following steps:
We implemented several technical improvements in Tutanota which prevent exploitation in the unlikely event of future XSS vulnerabilities.
We added regression tests for these improvements to our internal security review guidelines.
We emphasized security reviews of changes to the handling of user content as part of our normal code review process.
Open Source increases level of security
We have always stressed the fact that open source tools are more secure than closed source applications. The code of open source clients can be inspected by the security community to make sure that the code is free from bugs, vulnerabilities and backdoors.
Though unfortunate, the vulnerabilities found by Sonar prove that this is actually true. While closed source code might have similar issues, users might never find out about this.
We would like to thank Sonar for responsibly disclosing the cross-site scripting vulnerability in Tutanota 3.98.0.
All reported issues were subject to a 90-day disclosure deadline, after which Sonar said they would make parts of the issue public. We are happy that we were able to fix the addressed issues much faster, in fact within two days.
In our email communication with Sonar, vulnerability researcher Paul Gerste even said "Kudos to you and your team, you seem to take the security of your product seriously!"
We are very happy about this feedback from a security expert. It motivates us to work even harder on improving Tutanota!