ProtonBlog(new window)

Keeping Email Safe from the ROPEMAKER Vulnerability

Share this page

In late August, a security advisory(new window) was published regarding a newly discovered exploit affecting email providers. The issue, dubbed as “ROPEMAKER”, stands for “Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky”.

The attack is an interesting one so our security team took a closer look at it. The RopeMaker technique allows an attacker to visually modify a HTML email, sent by the attacker, even after it’s been delivered. In some cases, RopeMaker can also be used to modify the HTML code of an email as well. For example, an attacker could change a good link into a malicious link, or edit the body of an email at will, all without access to the mailbox, and even after the email has been delivered(new window).

Based on the security advisory, Outlook, Apple Mail, and Mozilla Thunderbird are/were vulnerable to this issue. Unfortunately, there’s no fix that you can make yourself to prevent this attack if you’re using one of these email applications. You’ll instead have to wait for these services to patch their systems.

How it Works

The main requirement for achieving a successful RopeMaker attack is when the email client allows remote CSS files to be rendered. The remote CSS file acts as a “modification backdoor” for the attacker/sender in the RopeMaker technique.

RopeMaker and Proton Mail

After analyzing the security advisory, we immediately performed an internal review of our CSS rendering processes. We can confirm that Proton Mail is not affected by the RopeMaker technique, and was not previously affected by it. However, we will be doing some additional development in order to further harden Proton Mail against future, not-yet-discovered exploits which may leverage some of the same techniques as RopeMaker.

At Proton Mail, we are serious about being the most secure email provider. A large part of ensuring a safe email experience is through engineering with security and privacy as the core principle, and not as merely an afterthought. However, even then, there is no such thing as 100% security, so providing the safest email service also requires active monitoring of the latest security threats to emerge.

As part of our email security efforts, our internal security team monitors numerous security mailing lists, forums, and other locations with relevant online chatter in order to identify and block threats before they can be exploited. In addition to our extensive internal efforts to protect Proton Mail users, we also host a bug bounty program to work with security researchers around the world in improving the security state of both Proton Mail and Proton VPN. Through leveraging the expertise of the global security community, we can ensure that Proton Mail is as safe as possible.

Protect your privacy with Proton
Create a free account

Share this page

Mazin Ahmed(new window)

Mazin is a security researcher who specializes in web-application and mobile-application security. He is passionate about information security and has previously found vulnerabilities in Facebook, Twitter, Linkedin, and Oracle to name a few. Mazin is a member of the Proton Mail Security Team.

Related articles

What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m
In the early days when Proton started, we often received a question along the lines of “I love the product and what Proton stands for, but how do I know you will still be around to protect my data 10 years from now?”  Ten years and 100 million accou
Credential stuffing is a popular type of cyberattack where attackers take login credentials and use them on thousands of websites, hoping to fraudulently gain access to people’s accounts. It’s an effective attack, but fortunately, one that’s easy to
With Skiff abruptly shutting down operations, many people are on the lookout for alternatives that don’t compromise on privacy — and won’t suddenly disappear. People were attracted to Skiff because it promised privacy, no ads, end-to-end encryption,
Skiff is dead. On Feb. 9, the email company Skiff announced it was being bought by Notion. Many Skiff customers have been shocked by this news, as their inboxes have been sold out from under them. Skiff gave people six months to export their data be
Looking into the Dropbox privacy policy
Dropbox was the first mainstream cloud storage provider, and still the biggest player on the market, with 700 million users in 2022. We took a dive into Dropbox’s privacy policy to see how well the company protects the personal data of those millions