The open-source RainLoop web-based email client contains an unpatched high-severity security flaw that might be used to steal emails from users’ inboxes.
In a study published this week, SonarSource security researcher Simon Scannell stated, “an attacker may simply exploit the code vulnerability by sending a malicious email to a target that uses RainLoop as a mail client.”
“When the victim views the email, the attacker takes complete control of the victim’s session and may steal any of the victim’s emails, even those containing extremely sensitive information like passwords, documents, and password reset links.”
The vulnerability, CVE-2022-29360, is a stored cross-site scripting (XSS) flaw that affects RainLoop version 1.16.0, which was released on May 7, 2021.
When a malicious script is injected directly into the server of a web application via user input (e.g., a comment box), it is then firmly saved in the database and exposed to later visitors. We know this as stored XSS.
SonarSource notified RainLoop’s maintainers of the flaw on November 30, 2021, according to SonarSource’s disclosure timeline, and the software developer could not provide a fix for over four months.
The Swiss code quality and security business registered an issue on GitHub on December 6, 2021, which is still open to this day. We have contacted rainLoop for comment, and we will update the article if we receive a response.
In the absence of updates, SonarSource advises users to transfer to SnappyMail, a RainLoop branch that is actively maintained and unaffected by the security flaw.
Check out Sonar’s YouTube video showing how this assault works; it’s rather amazing, and it highlights how easy third-party email systems can be hacked.
For a protected and secure email experience, we recommend using PGP technology to encrypt your communications.