Developers announce improved security for the future release

Jul 15, 2014 15:22 GMT  ·  By

Tutanota, an email service dedicated to providing secure message exchange, has admitted to a cross-site scripting (XSS) security flaw that allowed a threat actor to manipulate the email subject when sending it to another address in the service.

By tricking the user into forwarding the email, JavaScript code could be executed in the context of the web application.

The email service provides end-to-end encryption, which means that the messages are encrypted and decrypted locally, in the context of the web browser.

The process relies on “a standardized, hybrid method consisting of a symmetrical and asymmetrical algorithm.” The service uses AES-128 encryption and RSA 2048-bit.

The XSS vulnerability was discovered during a penetration test conducted by Thomas Roth. Upon learning of the flaw the company proceeded to fix it, and at the moment the attack is no longer possible.

Apart from pointing out the security risk, Roth also drew attention to other matters that could improve the security of the Tutanota service. The company said that these would be implemented in the next release of the service.

“All found issues do not affect the encryption itself, but the web application as such. With Tutanota you can easily send and receive encrypted emails that cannot be monitored with common mass-surveillance practices,” writes a representative from the company in a blog post.