Security News > 2021 > June > Email Bug Allows Message Snooping, Credential Theft

Researchers warn hackers can snoop on email messages by exploiting a bug in the underlying technology used by the majority of email servers that run the Internet Message Access Protocol, commonly referred to as IMAP. The bug, first reported in August 2020 and patched Monday, is tied to the email server software Dovecot, used by over three-quarters of IMAP servers, according to Open Email Survey.

"The vulnerability allows a MITM attacker between a mail client and Dovecot to inject unencrypted commands into the encrypted TLS context, redirecting user credentials and mails to the attacker," according to research linked to from a bug bounty page and dated August 2020.

The flaw centers around the implementation of the email instruction called START-TLS, a command issued between an email program and server that's designed to secure the delivery of email messages, according to a technical description by Anubisnetworks.

"We found that Dovecot is affected by a command injection issue in START-TLS. This bug allows to bypass security features of SMTP such as the blocking of plaintext logins. Furthermore, it allows to mount a session fixation attack, which possibly results in stealing of credentials such as the SMTP username and password," researchers wrote.

A session fixation attack allows an adversary to hijack a client-server connection after the user logs in, according to an OWASP description.

"In order to conduct the attack, an attacker first creates a legit account on a Dovecot server. They now wait for and [intercept] an encrypted connection on port 465 from a victim's email client," researchers wrote.

News URL

https://threatpost.com/email-bug-message-snooping-credential-theft/167125/