Email Bug Allows Message Snooping, Credential Theft
#1
Information 
Quote:Researchers warn hackers can snoop on email messages by exploiting a bug in the underlying technology used by the majority of email servers that run the Internet Message Access Protocol, commonly referred to as IMAP. The bug, first reported in August 2020 and patched Monday, is tied to the email server software Dovecot, used by over three-quarters of IMAP servers, according to Open Email Survey.
 
The vulnerability opens the door to what is called a meddle-in-the-middle (MITM) attack, according to a report by researchers Fabian Ising and Damian Poddebniak, with Münster University of Applied Sciences, based in Germany.
 
“The vulnerability allows a MITM attacker between a mail client and Dovecot to inject unencrypted commands into the encrypted TLS context, redirecting user credentials and mails to the attacker,” according to research linked to from a bug bounty page and dated August 2020.
 
A patch for the vulnerability, rated by the vendor as -severity and by the third-party security firm Tenable as critical, is available for download in the form of Dovecot version v2.3.14.1.
 
The flaw centers around the implementation of the email instruction called START-TLS, a command issued between an email program and server that’s designed to secure the delivery of email messages, according to a technical description by Anubisnetworks.
 
“We found that Dovecot is affected by a command injection issue in START-TLS. This bug allows [an attacker] to bypass security features of SMTP such as the blocking of plaintext logins. Furthermore, it allows [an attacker] to mount a session fixation attack, which possibly results in stealing of credentials such as the SMTP username and password,” researchers wrote.

Read more: Email Bug Allows Message Snooping, Credential Theft | Threatpost
[-] The following 2 users say Thank You to silversurfer for this post:
  • dinosaur07, harlan4096
Reply
#2
All the popular email services use IMAP protocols unfortunately.
software enthusiast!
[-] The following 2 users say Thank You to dinosaur07 for this post:
  • harlan4096, silversurfer
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
Kali Linux 2026.2 Released With 9 New To...
Offensive Security...harlan4096 — 08:28
INTEL Arc Graphics 32.0.101.8860 driver
INTEL Arc Graphics...harlan4096 — 08:19
Thunderbird 152.0.1 & Thunderbird 140.12...
Thunderbird 152.0....harlan4096 — 07:59
ESET 19.2.7.0
Changes in 19.2.7....harlan4096 — 07:45
Mozilla Firefox Browser 152.0.4
Mozilla Firefox Br...harlan4096 — 07:44

[-]
Birthdays
Today's Birthdays
avatar (41)optsaZes
avatar (40)RaymondViata
Upcoming Birthdays
avatar (47)dapedDow
avatar (49)TromPerl
avatar (46)RidgeDimb
avatar (37)ipumaqar
avatar (51)tanliorsPeri
avatar (43)lapedDow
avatar (49)rituabew
avatar (37)omyjul
avatar (41)papedDow
avatar (50)ArnoldFum
avatar (38)yfaza
avatar (49)Kevensi
avatar (48)ConradRoand
avatar (39)boineDon
avatar (51)spoofTum
avatar (50)WillieVot
avatar (40)Grompelbawn
avatar (41)vkseogaF
avatar (37)usogy
avatar (40)ywixazok
avatar (38)ixoqe
avatar (56)Step 1
avatar (36)pa.OpenTran

[-]
Online Staff
There are no staff members currently online.

>