Unpatched Bug in RainLoop Webmail Could Give Hackers Access to all Emails - Switch to SnappyMail

Unpatched Bug in RainLoop Webmail Could Give Hackers Access to all Emails

A potential impact to /e/mail

An unpatched high-severity security flaw has been disclosed in the open-source RainLoop web-based email client that could be weaponized to siphon emails from victims’ inboxes.

SonarSource, in its disclosure timeline, said that it notified the maintainers of RainLoop of the bug on November 30, 2021, and that the software maker has failed to issue a fix for more than four months.

In the absence of patches, SonarSource is recommending users to migrate to a RainLoop fork called SnappyMail, which is actively maintained and unaffected by the security issue.

SnappyMail is a fork of the much appreciated RainLoop, but with massive changes…

https://snappymail.eu/

Installation instructions - To Include Migration from Rainloop

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online servicesphone

2 Likes

I’ll be curious to know if this could be avoid by some Nginx reverse proxy configuration ?

I have no idea. Maybe you can reach out to Rainloop and see what they say. Think it would be worth a try?

Other Possible Solutions.

A mail app for Nextcloud

RoundCube for Nextcloud

Easiest solution : apply proposed patch from here : RainLoop Webmail - Emails at Risk due to Code Flaw

Done for my self-hosted, working fine :smiley_cat:
For the reference, file path on self-hosted is /mnt/repo-base/volumes/nextcloud/html/custom_apps/rainloop/app/rainloop/v/1.1?.0/app/libraries/MailSo/Base/HtmlUtils.php (1.15.0 for current, 1.16.0 for NC21).

3 Likes

Sounds like the way to go. You should run this up with to the efoundation. It would be the easiest way to go. But is this a Short-term fix or Long-term solution?

Since Rainloop is the email solution for /e/Mail then it is worth a look. I am sure many users enjoy using e.email as a great email option.

Why do you think Rainloop is taking so long to address this?

It is a long-term run for me, as the patch completely resolves the problem.

At least, until Rainloop dev team came up with a heavy rewrite AND /e/ team decides to update their app.
This can take … some time! :wink: I’m not aware of Rainloop dev member activities, so for me it can’t be predictable.

I’ll try to use my patched self-hosted Rainloop for some days, then if OK I’ll open a Gitlab issue for /e/ dev to patch their servers.

2 Likes

Sounds like a good first step to address the issue. I only asked about short-term because of the article you included. It seems to suggest the Rainloop dev team has made no official effort as of yet. And like you stated, it can take time. By both articles we posted, its been almost 6 months already. There needs to be a bit faster movement by devs to address end user concerns. I think why the articles suggest migrating to using SnappyMail for Long-Term use. Mail-in-a-box seems to fit the bill as well. Of course it would be far easier to just address the issue in Rainloop. I’m sure you can work some of your magic to fix this lol. I look forward to hearing how your testing goes. :sunglasses:

That’s what we call “open-source laws” : it’s free but there’s go guarantee, if you don’t agree you can do it yourself :see_no_evil:

So far testing is OK with regular emails, but I wasn’t aware to reproduce the PoC by sending a forged “evil email” …
Anyway, I’ll open a GitLab issue in days, as promised :slight_smile:

@smu44 Good to hear. I hope it works out well and fixes the issue.Thanks for being on the ball. Many users will thank you for it. No question. This includes myself :slightly_smiling_face:

In the end I am sure people just want a good, Long-term solution to the issue. Whatever that may look like.

I must admit that looking at Nextcloud mail, which uses mail-in-a-box mailservice looks like a great option as RoundCube is only a part of the package. Especially when looking at their security guide. Very nice over all.

It also looks like Snappymail is working on Next-cloud integration as well.

Interesting SnappyMail vs RainLoop
https://snappymail.eu/comparison.html

I agree, some competitors may be better than Rainloop.

But I’m quite sure that /e/ dev team won’t have the resources to migrate from a customized Rainloop, so for now we can only patch it, and hope for another webmail app at a very-long-term :wink:

That is exactly how I see it. The patch that you mentioned serves the immediate situation without issue. This also gives time for /e/ dev to discuss options for the long-term without having to worry about the current issue as it already has a solution. Piece of mind and breathing room. I couldn’t agree more. :sunglasses:

@smu44 So how is the testing coming alone? Any issues with implementing the patch?

So far, no problem using the patch.
And it was very easy to put in place :smile_cat:

Please allow me some days, when I’ll have enough free time I’ll create the issue in /e/ Gitlab.

@smu44 Sounds good. I look forward to hearing about the patch’s performance. Thanks.

Hi @Seven,

I found no problem nor performance issue using the patch :slight_smile:
That was expected : it just replace a static tag with a random one (roughly, this tag helps the rendering engine to identify the HTML part of the message).

Expect the Gitlab issue to be created during newt week-end !

2 Likes

Good news! :smile_cat: The /e/ dev team already applied the patch : Fixing XSS bug by using what is recommended here... (ccb38182) · Commits · e / infra / selfhost / nextcloud-apps / Rainloop Nextcloud · GitLab

Seems like someone read the posts here :wink:

Anyway, thanks @seven for reporting & following, and thanks to /e/ dev team for the awesome job :heart_eyes:

3 Likes

Well that is indeed good news!

It sure does seem like someone was following the conversation. :sunglasses:

I am happy to know that the /e/ dev team got right on top of this quickly! Thank you team!

And you are welcome @smu44. Being part of a small community means communicating any problems and sharing possible solutions. I was just trying to make this aware as this effected everyone who used /e/ services. Thank you for finding the patch itself and giving it a test go. Clearly you were trying to work your magic to put this solution into play. Very cool. :grin:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.