Pretending to be someone you're not in an email has never been quite hard enough—hence phishing, that eternal scourge of internet security. But now one researcher has dug up a new collection of bugs in email programs that in many cases strip away even the existing, imperfect protections against email impersonation, allowing anyone to undetectably spoof a message with no hint at all to the recipient.

On Tuesday, security researcher and programmer Sabri Haddouche revealed Mailsploit, an array of methods for spoofing email in more than a dozen common email clients, including Apple Mail for iOS and macOS, Mozilla's Thunderbird, Microsoft Mail, and Outlook 2016, as well as a long list of less common clients including Opera Mail, Airmail, Spark, Guerrilla Mail and Aol Mail. By combining the bugs in those email clients with quirks in how operating systems handle certain kinds of text, Haddouche was able to craft email headers that, to the recipient, give every indication of having been sent from whatever address the fraudster chooses. The potential for phishing schemes is enormous.

A demo Haddouche has made available on his website describing the Mailsploit attack lets anyone send emails from any address they choose; think potus@whitehouse.gov, tcook@apple.com, john.podesta@gmail.com or any other corporate executive, politician, friend, family member, or associate that might trick someone into giving up their secrets. Thanks to Mailsploit's tricks, no amount of scrutiny in the email client can reveal the fakery.

"This makes these spoofed emails virtually unstoppable at this point in time," writes Haddouche, who works as a developer for secure messaging service Wire.

Missing DMARC

Email spoofing is a hacker trick as old as email itself. But over the years, administrators of email servers have increasingly adopted authentication systems, most recently one known as Domain-based Message Authentication, Reporting and Conformance, which blocks spoofed emails by carefully filtering out those whose headers pretend to come from a different source than the server that sent them. Partly as a result, phishers today generally have to use fake domains—the part of the email address after the "@"—that resemble real ones, or cram real-looking domains into the "name" field of their email. Either case is fairly easy to spot, if you're careful to hover over or click on the "from" field of any suspicious-looking email.

'This makes these spoofed emails virtually unstoppable at this point in time.' Security Researcher Sabri Haddouche

But Mailsploit's tricks defeat DMARC by exploiting how email servers handle text data differently than desktop and mobile operating systems. By crafting email headers to take advantage of flawed implementation of a 25-year-old system for coding ASCII characters in email headers known as RFC-1342, and the idiosyncrasies of how Windows, Android, iOS, and macOS handle text, Haddouche has shown that he can trick email servers into reading email headers one way, while email client programs read them differently.

"The cleverness of this attack is that everything comes from the right source from the perspective of the mail server, but at the moment it’s displayed to the user it comes from someone else," says Dan Kaminsky, a protocol-focused security researcher and chief scientist at cybersecurity firm White Ops. "The authentication system for the server sees one thing. The authentication system for humans sees another."

Patchwork Fixes

Haddouche says he contacted all of the affected firms months ago to warn them about the vulnerabilities he's found. Yahoo Mail, Protonmail and Hushmail have already fixed their bugs, while Apple and Microsoft have told Haddouche they're working on a fix, he says. A Microsoft spokesperson wrote to WIRED to note that Outlook.com, Office 365, and Exchange 2016 aren't affected by the attack. Most other affected services haven't responded, Haddouche says. Haddouche's full list of affected email clients and their responses to his Mailsploit research is here.1

Mozilla and Opera, Haddouche says, both told him they don't plan to fix their Mailsploit bugs, instead describing them as server-side problems. (On Wednesday, a Thunderbird developer Jörg Knobloch wrote to WIRED to note that Thunderbird will make a patch avaiable in the next 24 hours.) Blaming the server, rather than the email client, may be more than just a lazy dodge: Haddouche tells WIRED that email providers and firewalls can also be set to filter out his attack, even if email clients remain vulnerable.1