We Have Fixed A Security Issue

Our international release increased the interest in Tutanota enormously. After getting in contact with security expert Thomas Roth we asked him if he could have a look at our code, which he did. Last night he informed us on a security issue in our web application. We appreciate that a lot as every review by external people makes our application more secure. It was a possible cross-site-scripting attack when forwarding an email. The issue has already been fixed. The attack worked as follows: When forwarding an email, the subject was embedded in the body of the new email unsanitized. This made it theoretically possible for attackers to manipulate the subject upon sending an email to a Tutanota email address. Then the attacker had to trick the user into forwarding this email. This way he would have had the opportunity to execute JavaScript code in the context of the web application. We have fixed the issue right away. Now the subject is embedded sanitized and such an attack is no longer possible.

Thomas Roth also put our attention to minor issues which can improve the security of Tutanota further. These will be implemented with the next release.

All found issues do not affect the encryption itself, but the web application as such. With Tutanota you can easily send and receive encrypted emails that cannot be monitored with common mass-surveillance practices. We also strive to prevent targeted attacks of specific Tutanota users. Such attacks are very complicated to execute and – in most cases (like the issue described above) – require a particular action by the user. In this case it was forwarding an email. Any possible attack scenarios brought to our attention will be taken care of immediately so that you can rely on sending secure emails with Tutanota.

The findings by Thomas Roth show how important peer review is to ensure security. In a few months we will make Tutanota available as open source so that everybody can build their own application and review the code in detail.

If you have any questions, please contact us.

Regards,
your Tutanota team

11th of July 2014

Hinterlasse eine Antwort

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind markiert *

Du kannst folgende HTML-Tags benutzen: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>