The open-source RainLoop web-based email client could be weaponized to siphon emails from victims’ inboxes; an unpatched security flaw has been disclosed.
In a week’s report, Simon Scannell said that an attacker could easily exploit the code vulnerability by sending a malicious email to a potential victim that uses RainLoop as a mail client,” SonarSource security researcher.
When the victim views the email, the attacker gains complete control over the victim’s session and can steal any of their emails, including the ones that contain highly sensitive information such as passwords, documents, and password reset links.
The flaw tracked as CVE-2022-29360 relates to a stored cross-site-scripting (XSS) vulnerability that impacts the latest version of RainLoop released on May 7, 2021.
Attack chains leveraging the flaw may take the form of a specially crafted email sent to victims, impacting all RainLoop installations running under default configurations. When potential victims view the email, it executes a malicious JavaScript payload in their browser without requiring any user interaction.
In its disclosure timeline, SonarSource said that it notified the maintainers of RainLoop of the bug on November 30, 2021, and that for more than four months, the software maker has failed to issue a fix.
On December 6, 2021the Swiss code quality and security company raised an issue on GitHub, which remains open to date.
In the absence of patches, SonarSource recommends users migrate to SnappyMail, a RainLoop fork actively maintained and unaffected by the security issue.
Found this article interesting? click here to read more exclusive content we post.
