A lesser known technology known as "mailto" links can be used to launch attacks on users of email desktop clients.
The new attacks could be used to steal hidden local files and email them as attachments to intruders, according to a research paper published last week by academics from two German universities.
Attack on mailto links
The "vulnerability" at the heart of these attacks is the way email clients implemented RFC6068 - the technical standard that describes the "mailto" URI schema.
Mailto refers to specific types of links, usually supported by programs web browsing or email clients. These are links that, when clicked, open a new email editing / reply window instead of a new web page.
RFC6068 says that mailto links can support various parameters. When used with mailto links, these parameters will fill the new email window with predefined content.
For example, a mailto link like the one below will open a new email editing window with the destination email already pre-filled with "firstname.lastname@example.org", a "Hello" subject line and an email from a "friend".
RFC6068 (mailto) supports a wide range of customization parameters for mailto links, including infrequently used options which can be used to control the main text of the email, the reply email address and even the email headers.
However, even the standard itself warns software engineers not to support all parameters, recommending that applications to support only a few "safe" options.
Some email providers have backed up dangerous Mailto settings
However, in a research paper entitled "Mailto: Me Your Secrets" [PDF], academics from Ruhr Bochum University and Münster University of Applied Sciences said they found email client applications that support the mailto standard with some of the parameters that allow attacks on their users.
Specifically, the researchers looked at the mailto "attach" or "attachment" settings that allow mailto links to open new email editing / reply windows with an already attached file.
Academics claim that intruders can send emails containing them mailtthe links or place mailto links to sites that, when clicked, could add secretly sensitive files to the email window.
If the user composing the email does not find the attachment, attackers could receive sensitive files from their system usersuch as encryption keys (PGP), SSH keys, configuration files, encryption wallet files, stores passwords or important business documents - provided they are stored in "file paths" known to the attacker.
Academics say they have tried different versions of this data mining technique.
The research team said it tested 20 email clients for the attack scenario and found that four clients were vulnerable. This list included the following:
- Evolution, the default email client for the GNOME desktop environment on Linux
- KMail, the default email client for KDE desktop environments on Linux
- IBM / HCL Notes for Windows
- Older versions of Thunderbird on Linux (now fixed)
All issues found were reported to the respective development teams and corrected this spring and summer.