We regret of having to inform you about this issue. At Tutanota we focus on security, thus, publishing all details about security relating issues is part of our strict transparency policy.

Our development process is designed to deliver secure, tested, and reviewed apps. Unfortunately, finding vulnerabilities is an inalienable part of any software development process; we work hard to mitigate this risk.

We are currently reviewing our development process to adjust our methods to further maximize the probability of finding security relevant issues prior to releasing new app versions. For full transparency, we are communicating any and all details about this vulnerability. It first came to our attention when we investigated bug reports of file names that couldn't be opened due to an underlying problem. We fixed the escaping and then found out that there is also a security issue, which we addressed immediately.

We hope you understand that we were unable to publish any details previously to protect our users: We had to make sure that all users have updated to the secure app versions first (see timeline). We apologize for any inconvenience caused by this.

Affected app versions are disabled

The issue affected users of the new iOS app and users of the new Android beta app (F-Droid and Play Store). The issue did not affect the old Android app (version 2, currently in Play Store and used by a large portion of our users). The web client was also not affected.

The affected app versions have already been disabled so the vulnerability cannot be exploited anymore.

In case you have used one of the affected versions, we recommend to change your password as a security measure. We also recommend turning on second-factor authentication if possible.

Timeline

5 July 2018: Tutanota Android Beta version published

30 August 2018: F-Droid version became available

11 September 2018: Vulnerability discovered and patched

12 September 2018: Patched iOS & Android versions published

13 September 2018: Patched version (3.37.1) was published (this version will not be disabled)

26 September 2018: Versions before 3.37.1 were disabled

Details of vulnerability

Code injection in Web-Native communication channel.

Announced: 28 September 2018

Impact: High

Versions: 3.35.5 through 3.36.8

Web-Native communication channel was not properly escaped. Potential attacker was able to inject arbitrary code into the web part of the app using crafted file names. Namely, single quotes were not escaped when passing a ECMAScript message to the web engine. The issue was mitigated by encoding and decoding messages in communication channel. File names of downloaded files were passed back to the web part after downloading the file and that opened a possibility to use unescaped input.

Such an issue was possible because Content Security Policy (CSP) does not apply to evaluating scripts using WebViews.

While attack through a contact was also possible, it was much harder to exploit.

Commit fixing iOS app: https://github.com/tutao/tutanota/commit/88053e716c3445fef07e14fddf7a0ade4c1a80ea

Commit fixing Android app: https://github.com/tutao/tutanota/commit/6345966bb1c7eba0d4638ffcfe67d791f06f5226

Reviewing development process to maximize security

To our knowledge, this potential exploit has not been abused. We are currently reviewing our development process to adjust our methods to further maximize the probability of finding security relevant issues prior to releasing new app versions. We apologize for any inconvenience caused by this.

We are now doing an internal security review of the new Tutanota email client and iOS and Android apps. We also plan to commence an external security review soon. If you want to contribute to Tutanota's security, we appreciate your donation for an external security review.