ROPEMAKER technical whitepaper

a technical whitepaper on a vulnerability affecting popular email clients which allows attackers to arbitrarily modify the perceived content of HTML emails post-delivery

This paper describes some research I did about a year ago on most popular email clients which highlights a weakness that allows attackers to arbitrarily modify the perceived content of HTML emails post-delivery even in the presence of technologies such as PGP and S/MIME.

In this document, I cover the design flaw and some of the offensive techniques enabled by it along with its implications and side effects. With this, I aim to bring a better understanding of the technical aspects of this attack dubbed Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky (ROPEMAKER) and how one can protect against it.

Notes

The views expressed here are mine alone and not those of my employer

This was presented at the 39th M3AAWG event last February in San Francisco, publicly disclosed on August the 22nd by Mimecast and you can read more about its official release in here

This is exploratory work, mostly for fun and it's not comprehensive in any way

Tests were done against recent versions of Microsoft Outlook, Apple Mail and Mozilla Thunderbird running on Mac OS El Capitan / Sierra and on an iPhone 6 / SE with iOS 9 and later on, 10

Thanks to Mimecast for supporting this work and for being such an incredible place to work

Also special thanks to my friends who reviewed this paper (Mark, Hugo, Morisson, Tiziano, Geta, Kyriakos and Borja)

Questions, Feedback and Comments are welcome

Download

ropemaker.pdf - paper (draft)