Email content injection flaws chained to bypass security controls

A potentially troublesome set of web security vulnerabilities in Speer were promptly resolved after the researcher who unearthed the flaws notified its developer.

Speer is an open source, privacy-focused communication application for Node.js. It can be used to make either audio or video calls or to send large files.

Researcher François Renaud-Philippon decided to examine the source code of the app as a side project during his free time.


Catch up on the latest secure development news


The Canadian recognized a pattern of code in the app that was similar to a vulnerability they had encountered during their professional life.

Sure enough, further examination revealed security shortcomings that might be combined and abused to either bypass authentication mechanisms or used as part of phishing attacks.

Renaud-Philippon told The Daily Swig:

The vulnerability would allow the adversary to replace the content of address validation email with anything. It could be used for phishing, or sending insensitive content.

It's like webpage defacement for emails. [It could also be used to] bypass the address validation process by combining the email content injection and a template injection to exfiltrate the secret that is sent by email to check the ownership.

The researcher added that Speer’s developer responded to his finding with admirable grace, releasing a security patch the next day with a patch on September 9.

“They applied the patch in production,” according to Renaud-Philippon. “From my understanding no users were affected.”

The release of a security update allowed Renaud-Philippon to publish a blog post documenting his discovery of the ‘email content injection’ and ‘template injection’ flaws.

Speer-phishing

The chained exploit developed by the researcher involved creating an account with the intended victim’s email address and a tracking pixel in the username.

When Speer sends a confirmation email to a victim, this tracking pixel results in the registration secret being leaked to an attacker who can confirm the account.

The “template injection” terminology used here is perhaps open for debate, and some might say that the security shortcomings described by Renaud-Philippon might better be described as “HTML injection in email” or “email HTML injection”.

Quibbles about semantics aside, the researcher concludes his findings offer lessons for both app developers and hackers about a somewhat overlooked class of vulnerability.

“Email content Injections are seen as a poor man’s defacing,” according to Renaud-Philippon. “For a lot of hackers, email content injections are boring and their impact is unimpressive”.

“Where email content injections shine as a vulnerability is how they can be chained to bypass security controls,” they concluded.


YOU MAY ALSO LIKE VMware denies allegations it leaked Confluence RCE exploit