Proton

Keeping Email Safe from the ROPEMAKER Vulnerability

In late August, a security advisory(new window) was published regarding a newly discovered exploit affecting email providers. The issue, dubbed as “ROPEMAKER”, stands for “Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky”.

The attack is an interesting one so our security team took a closer look at it. The RopeMaker technique allows an attacker to visually modify a HTML email, sent by the attacker, even after it’s been delivered. In some cases, RopeMaker can also be used to modify the HTML code of an email as well. For example, an attacker could change a good link into a malicious link, or edit the body of an email at will, all without access to the mailbox, and even after the email has been delivered(new window).

Based on the security advisory, Outlook, Apple Mail, and Mozilla Thunderbird are/were vulnerable to this issue. Unfortunately, there’s no fix that you can make yourself to prevent this attack if you’re using one of these email applications. You’ll instead have to wait for these services to patch their systems.

How it Works

The main requirement for achieving a successful RopeMaker attack is when the email client allows remote CSS files to be rendered. The remote CSS file acts as a “modification backdoor” for the attacker/sender in the RopeMaker technique.

RopeMaker and Proton Mail

After analyzing the security advisory, we immediately performed an internal review of our CSS rendering processes. We can confirm that Proton Mail is not affected by the RopeMaker technique, and was not previously affected by it. However, we will be doing some additional development in order to further harden Proton Mail against future, not-yet-discovered exploits which may leverage some of the same techniques as RopeMaker.

At Proton Mail, we are serious about being the most secure email provider. A large part of ensuring a safe email experience is through engineering with security and privacy as the core principle, and not as merely an afterthought. However, even then, there is no such thing as 100% security, so providing the safest email service also requires active monitoring of the latest security threats to emerge.

As part of our email security efforts, our internal security team monitors numerous security mailing lists, forums, and other locations with relevant online chatter in order to identify and block threats before they can be exploited. In addition to our extensive internal efforts to protect Proton Mail users, we also host a bug bounty program to work with security researchers around the world in improving the security state of both Proton Mail and Proton VPN. Through leveraging the expertise of the global security community, we can ensure that Proton Mail is as safe as possible.

Related articles

A cover image for a blog about how to create an incident response plan that shows a desktop computer and a laptop with warning signs on their screens
en
Do you have an incident response plan to protect your business from financial and reputational damage? Find out how Proton Pass for Business can help you stay safe.
Shared with me in Proton Drive for desktop user interface
en
  • For business
  • Atualizações de produto
  • Proton Drive
We've improved Proton Drive for Windows to make it easier to securely collaborate with others from your desktop.
Smart glasses that have been modified for facial surveillance and dox you in real time, finding your personal information after seeing your face.
en
Students modified smart glasses to find someone’s personal data after just looking at them. This is why we must minimize data collection.
The cover image for a blog explaining what password encryption is and how Proton Pass helps users with no tech experience benefit from it
en
Password encryption sounds complicated, but anyone can benefit from it. We explain what it is and how it’s built into Proton Pass for everyone to use.
How Proton can help with DORA compliance
en
We look at how DORA will affect your organization and how Proton’s services can help you meet its compliance requirements.
en
We searched the dark web for Spanish and Italian politicians’ official email addresses. Compared to other politicians, they’ve had fewer breaches.