Jump to content

Simple Exploit Allows Attackers to Modify Email Content - Even After It's Sent!

Recommended Posts

  • Active Members



Security researchers are warning of a new, easy-to-exploit email trick that could allow an attacker to turn a seemingly benign email into a malicious one after it has already been delivered to your email inbox.

Dubbed Ropemaker (stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky), the trick was uncovered by Francisco Ribeiro, the researcher at email and cloud security firm Mimecast.


A successful exploitation of the Ropemaker attack could allow an attacker to remotely modify the content of an email sent by the attacker itself, for example swapping a URL with the malicious one.

This can be done even after the email has already been delivered to the recipient and made it through all the necessary spam and security filters, without requiring direct access to the recipient’s computer or email application, exposing hundreds of millions of desktop email client users to malicious attacks.

Ropemaker abuses Cascading Style Sheets (CSS) and Hypertext Markup Language (HTML) that are fundamental parts of the way information is presented on the Internet.

"The origin of Ropemaker lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML," Mimecast's Senior Product Marketing Manager Matthew Gardiner writes in a blog post.


"While the use of these web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email."

Since CSS is stored remotely, researchers say an attacker can change the content of an email through remotely initiated changes made to the desired 'style' of the email that is then retrieved remotely and presented to the user, without the recipient, even tech savvy users, knowing about it.





According to the researchers, the Ropemaker attack could be leveraged depending upon the creativity of the threat actors.

For instance, attackers could replace a URL that originally directed the user to a legitimate website by a malicious one that sends the user to a compromised site designed to infect users with malware or steal sensitive info, such as their credentials and banking details.

While some systems are designed to detect the URL switch preventing users from opening up the malicious link, other users could be left at a security risk.

Another attack scenario, called "Matrix Exploit" by the Mimecast, is more sophisticated than the "Switch Exploit", and therefore much harder to detect and defend against.

In a Matrix Exploit attack, attackers would write a matrix of text in an email and then use the remote CSS to selectively control what is displayed, allowing the attacker to display whatever they want—including adding malicious URLs into the body of the email.

This attack is harder to defend against because the initial email received by the user does not display any URL, most software systems will not flag the message as malicious.

"Since the URL is rendered post-delivery, an email gateway solution such as Mimecast cannot find, rewrite, or inspect the destination site on-click, because at the time of delivery there would be no URL to detect," the report reads. "To do so would require the interpretation of CSS files, which is beyond the scope of current email security systems."

Although the security firm has not detected the Ropemaker attack in the wild, it believes that this doesn't mean for sure the attack is "not being used somewhere outside the view of Mimecast."

According to the security firm, Ropemaker could be used by hackers to bypass most common security systems and trick even the tech savvy users into interacting with a malicious URL.

To protect themselves from such attacks, users are recommended to rely on web-based email clients like Gmail, iCloud and Outlook, which aren't affected by Ropemaker-style CSS exploits, according to Mimecast.

However, email clients like the desktop and mobile version of Apple Mail, Microsoft Outlook, and Mozilla Thunderbird are all vulnerable to the Ropemaker attack.


Via https://thehackernews.com/2017/08/change-email-content.html

  • Thanks 1
  • Upvote 3
Link to comment
Share on other sites

  • Moderators

M-am jucat în ultimele ore cu ropemaker şi pot să zic că nu este cine ştie ce.



$to = "destinatar@site.tld";
$subject = "ropemaker vulnerability";
$message =<<<START
  <style type="text/css">@import "http://link_catre_extern/style.css"</style>
  I heard you are a <span id="content"></span> boy
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-Transfer-Encoding: quoted-printable\r\nContent-Type: text/html; charset=UTF-8\r\n";

În fişierul CSS avem aşa:


După trimiterea mailului, se poate modifica fişierul css pentru a adăuga altceva (ex. bad).


Din punctul meu de vedere, vulnerabilitatea este doar o problemă la nivelul programatorilor care au creat aplicaţiile şi nu ştiu să baneze importul de fişiere CSS din extern.  Sunt foarte puţine aplicaţii care nu blochează spreadsheet-urile (vulnerabilitatea mi-a mers doar pe Outlook pe Android), deci, într-o lună, două, ar trebui să avem update-uri de securitate pe ele şi ropemaker să fie de domeniul trecutului.

Edited by Dragos
  • Upvote 4
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...