14 DAY TRIAL // FastMail.fm, the popular email hosting service, has addressed a number of vulnerabilities found by Mike Cardwell, a security researcher (amongst other things) from England.
He noticed that while FastMail prevented remote content from loading, if a user clicked the “View” button next to an email attachment, malicious code could be executed, even if the attachment was an image.
“Images can't execute JavaScript right? Well, yes, they can. This particular image was a Scalable Vector Graphic, with a content type of ‘image/svg+xml’. An SVG is just a lump of XML describing a picture, but it can also contain JavaScript and CSS,” Cardwell wrote on his blog.
“It's not safe to display certain types of user submitted content under your own domain. The problem is, developers assume that files with an "image/*" content-type are safe, because they're not familiar with SVG,” he added.
To fix this issue, FastMail simply added “image/svg+xml” to the list of files that couldn’t be viewed, only downloaded. The download process prompts the user to choose a location for the file, which makes it less dangerous than the “View” function, which directly displays the content under the fastmail.fm domain.
However, this measure turned out to be ineffective because the “image/svg+xml” filter could be bypassed by setting the content type to “application/octet-stream” and by giving the file an extension that would be considered safe.
The researcher explained, “FastMail was guessing the content type by looking at the filename extension. The method of filtering out unsafe file types was only working on the declared content type of ‘application/octet-stream’,”
While these vulnerabilities required some user interaction in order to be exploited, there was another security hole that could be leveraged to execute JavaScript simply by getting the victim to open the email.
The expert noticed that filenames weren’t escaped before being added to the HTML, which allowed him to execute code simply by attaching a file named something like: Hello<script>JavaScript payload</script>.jpg
Besides these weaknesses being fixed, FastMail also implemented (or plans to implement) HttpOnly cookies, HTTP Strict Transport Security, and a Content Security Policy.
Cardwell recommends user to test their email configuration using a clever tool that he developed, called Email Privacy Tester.