At the Black Hat Security Conference on Thursday security researchers will report 18 vulnerabilities in industry-specific email protections. Exploitation of problems allows attackers to hide their identity from the victim.
The study looked at the three main protocols used in email sender authentication: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). The experts identified 18 vulnerabilities that don't stem from the protocols themselves but from how different email services and client applications implement them. Attackers could use these loopholes to make spear-phishing attacks even harder to detect.
The researchers found that by strategically manipulating different header fields they can produce different types of attacks, all of which can be used to deceive the person on the other end of an email.
Vulnerabilities have been divided into three categories. The first set, called "intra-server" attacks, is based on inconsistencies in how the mail service pulls data from headers to authenticate the sender. Take the fact that there are two "From" fields in email headers — HELO and MAIL FROM. Users can configure different authentication mechanisms to match the two fields in different ways. For example, some could be implemented to interpret an email address that starts with an open parenthesis, such as (wired@iscool[.]com as an empty MAIL FROM field, which makes it instead rely on the HELO field to verify integrity. Inconsistencies like these allow creating strategic mail domains or manipulate message headers to impersonate someone else.
The second category focuses on manipulating similar inconsistencies, but between the mail server receiving the message and the application that actually displays it to the user. The experts found major inconsistencies in how different servers and clients handle "From" headers, which list multiple email addresses or addresses surrounded by varying numbers of spaces. Services are expected to flag such messages as having authentication problems, but in practice, many will accept either the first address in the list, the last, or all addresses as the From field.
Researchers call the third category "ambiguous replay" because it includes various methods of hacking and replaying a legitimate email received by an attacker. The attacks exploit an element of the DKIM cryptographic authentication mechanism, in which a user can receive an authenticated email, create a new message, leaving all the headers and body, and resend it while retaining the authentication. Experts have found that an attacker can add additional headings and body text to what is already in the letter.
In total, the researchers identified 10 email providers and 19 email clients vulnerable to one or more attacks, including Google's Gmail, Apple's iCloud, Microsoft Outlook, and Yahoo Mail.