Unpatched Bug in RainLoop Webmail Could Give Hackers Access to all Emails
A potential impact to /e/mail
An unpatched high-severity security flaw has been disclosed in the open-source RainLoop web-based email client that could be weaponized to siphon emails from victims’ inboxes.
SonarSource, in its disclosure timeline, said that it notified the maintainers of RainLoop of the bug on November 30, 2021, and that the software maker has failed to issue a fix for more than four months.
In the absence of patches, SonarSource is recommending users to migrate to a RainLoop fork called SnappyMail, which is actively maintained and unaffected by the security issue.
Done for my self-hosted, working fine
For the reference, file path on self-hosted is /mnt/repo-base/volumes/nextcloud/html/custom_apps/rainloop/app/rainloop/v/1.1?.0/app/libraries/MailSo/Base/HtmlUtils.php (1.15.0 for current, 1.16.0 for NC21).
Sounds like the way to go. You should run this up with to the efoundation. It would be the easiest way to go. But is this a Short-term fix or Long-term solution?
Since Rainloop is the email solution for /e/Mail then it is worth a look. I am sure many users enjoy using e.email as a great email option.
Why do you think Rainloop is taking so long to address this?
It is a long-term run for me, as the patch completely resolves the problem.
At least, until Rainloop dev team came up with a heavy rewrite AND /e/ team decides to update their app.
This can take … some time! I’m not aware of Rainloop dev member activities, so for me it can’t be predictable.
I’ll try to use my patched self-hosted Rainloop for some days, then if OK I’ll open a Gitlab issue for /e/ dev to patch their servers.
Sounds like a good first step to address the issue. I only asked about short-term because of the article you included. It seems to suggest the Rainloop dev team has made no official effort as of yet. And like you stated, it can take time. By both articles we posted, its been almost 6 months already. There needs to be a bit faster movement by devs to address end user concerns. I think why the articles suggest migrating to using SnappyMail for Long-Term use. Mail-in-a-box seems to fit the bill as well. Of course it would be far easier to just address the issue in Rainloop. I’m sure you can work some of your magic to fix this lol. I look forward to hearing how your testing goes.
That’s what we call “open-source laws” : it’s free but there’s go guarantee, if you don’t agree you can do it yourself
So far testing is OK with regular emails, but I wasn’t aware to reproduce the PoC by sending a forged “evil email” …
Anyway, I’ll open a GitLab issue in days, as promised
@smu44 Good to hear. I hope it works out well and fixes the issue.Thanks for being on the ball. Many users will thank you for it. No question. This includes myself
In the end I am sure people just want a good, Long-term solution to the issue. Whatever that may look like.
I must admit that looking at Nextcloud mail, which uses mail-in-a-box mailservice looks like a great option as RoundCube is only a part of the package. Especially when looking at their security guide. Very nice over all.
It also looks like Snappymail is working on Next-cloud integration as well.
I agree, some competitors may be better than Rainloop.
But I’m quite sure that /e/ dev team won’t have the resources to migrate from a customized Rainloop, so for now we can only patch it, and hope for another webmail app at a very-long-term
That is exactly how I see it. The patch that you mentioned serves the immediate situation without issue. This also gives time for /e/ dev to discuss options for the long-term without having to worry about the current issue as it already has a solution. Piece of mind and breathing room. I couldn’t agree more.
I found no problem nor performance issue using the patch
That was expected : it just replace a static tag with a random one (roughly, this tag helps the rendering engine to identify the HTML part of the message).
Expect the Gitlab issue to be created during newt week-end !
It sure does seem like someone was following the conversation.
I am happy to know that the /e/ dev team got right on top of this quickly! Thank you team!
And you are welcome @smu44. Being part of a small community means communicating any problems and sharing possible solutions. I was just trying to make this aware as this effected everyone who used /e/ services. Thank you for finding the patch itself and giving it a test go. Clearly you were trying to work your magic to put this solution into play. Very cool.