Mail: App seems to not verify TLS certificates

Created on 20 Feb 2020  路  6Comments  路  Source: nextcloud/mail

I just set up my email account using imap.mydomain.com and smtp.mydomain.com. However, I am serving a self-signed certificate to do the TLS encryption. The app did not complain at all even though I did not import any sort of certificate authority. In a next test, I presented it with a certificate for imap.anotherdomain.com and smtp.anotherdomain.com again, not error or anything. This seems like a huge security risk to me. Could you please clarify if/how the certificate verification is happening. From my understanding, the current behavior allows MitM attacks using an arbitrary certificate which ultimately allows the attacker to obtain the user's credentials and hence full access to their email accounts.

Edit: It seems like this issue is known since 2017 (#308). Without resolving this, the app seems like a massive security risk to any organization using the mail app inside their nextcloud installation.

0. to triage question
Source
picture AuspeXeu
👍1

Most helpful comment

Well, given this was first disclosed to you in 2017 I feel like you kinda had a lot of time to look into this, didn't you?

picture AuspeXeu on 21 Feb 2020
👍2 😄1

All 6 comments

I'll have a look. Next time please use https://hackerone.com/nextcloud for such issues.

ChristophWurst picture ChristophWurst on 21 Feb 2020

Closing as dup of #308. Let's continue there.

ChristophWurst picture ChristophWurst on 21 Feb 2020

I actually was on this hackerone.com website but honestly didn't find the correct category to report it in. Could you point me to it?

AuspeXeu picture AuspeXeu on 21 Feb 2020

You start at https://hackerone.com/nextcloud/reports/new. If you need any help you can also first ask for it on help.nextcloud.com. The important part is not to disclose a possible security issue before it's taken care of.

ChristophWurst picture ChristophWurst on 21 Feb 2020

Well, given this was first disclosed to you in 2017 I feel like you kinda had a lot of time to look into this, didn't you?

AuspeXeu picture AuspeXeu on 21 Feb 2020
👍2 😄1

Yes, 3 Years should be enough for the risk assessment 馃槃
But indeed i didnt reported it via hackerone in 2017. Sorry for that 馃槥馃槃

fti7 picture fti7 on 21 Feb 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ChristophWurst picture ChristophWurst  路  3Comments
cheesewizz picture cheesewizz  路  5Comments
b1f17773 picture b1f17773  路  5Comments
jancborchardt picture jancborchardt  路  5Comments
jancborchardt picture jancborchardt  路  4Comments