Proton

Keeping Email Safe from the ROPEMAKER Vulnerability

In late August, a security advisory(new window) was published regarding a newly discovered exploit affecting email providers. The issue, dubbed as “ROPEMAKER”, stands for “Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky”.

The attack is an interesting one so our security team took a closer look at it. The RopeMaker technique allows an attacker to visually modify a HTML email, sent by the attacker, even after it’s been delivered. In some cases, RopeMaker can also be used to modify the HTML code of an email as well. For example, an attacker could change a good link into a malicious link, or edit the body of an email at will, all without access to the mailbox, and even after the email has been delivered(new window).

Based on the security advisory, Outlook, Apple Mail, and Mozilla Thunderbird are/were vulnerable to this issue. Unfortunately, there’s no fix that you can make yourself to prevent this attack if you’re using one of these email applications. You’ll instead have to wait for these services to patch their systems.

How it Works

The main requirement for achieving a successful RopeMaker attack is when the email client allows remote CSS files to be rendered. The remote CSS file acts as a “modification backdoor” for the attacker/sender in the RopeMaker technique.

RopeMaker and Proton Mail

After analyzing the security advisory, we immediately performed an internal review of our CSS rendering processes. We can confirm that Proton Mail is not affected by the RopeMaker technique, and was not previously affected by it. However, we will be doing some additional development in order to further harden Proton Mail against future, not-yet-discovered exploits which may leverage some of the same techniques as RopeMaker.

At Proton Mail, we are serious about being the most secure email provider. A large part of ensuring a safe email experience is through engineering with security and privacy as the core principle, and not as merely an afterthought. However, even then, there is no such thing as 100% security, so providing the safest email service also requires active monitoring of the latest security threats to emerge.

As part of our email security efforts, our internal security team monitors numerous security mailing lists, forums, and other locations with relevant online chatter in order to identify and block threats before they can be exploited. In addition to our extensive internal efforts to protect Proton Mail users, we also host a bug bounty program to work with security researchers around the world in improving the security state of both Proton Mail and Proton VPN. Through leveraging the expertise of the global security community, we can ensure that Proton Mail is as safe as possible.

Related articles

Proton Mail and Proton Calendar winter product roadmap
en
  • Product updates
  • Proton Calendar
  • Proton Mail
Preview upcoming updates to Proton Mail and Proton Calendar, including performance boosts, new features, and enhanced privacy tools.
Gantt chart displaying Proton Drive plans and development of new features
en
Discover the tools, features, and improvements coming to Proton Drive’s secure cloud storage and document editor this winter and spring.
laptop showing Bitcoin price climbing
en
  • Privacy guides
Learn what a Bitcoin wallet does and the strengths and weaknesses of custodial, self-custodial, hardware, and paper wallets.
pixel tracking: here's how to tell which emails track your activity
en
Discover what pixel tracking is and how it works, how to spot emails that track you, and how to block these hidden trackers.
A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
en
  • Product updates
  • Proton Pass
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
en
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.