Mailto-Link can be exploited to grab sensitive files!

Email is still the main means of communication when you are in business. So-called mailto links ensure that the default email program automatically opens and an email with a predefined sender appears. Researchers of the Ruhr University Bochum have now discovered that in such links not only the recipient can be set, but also attachments can be defined.

Mailto links and the benefits

Mailto links can be found on various websites that offer customer support or other services. There are also mailto links on our website, e.g. for a direct live hacking request.

Through such links, the operator of the website offers the visitor the possibility to contact us without much effort by automatically opening a new email via mailto link, usually with the recipient and subject.

If we place the mouse pointer on the button: “Request free offer now”, we can see in the lower left corner of the browser where a click on the button would redirect us. In this case we see the link: “mailto:hacking@aware7.de”. By clicking on the button, the email program opens with a newly composed email in which the recipient “hacking@aware7.de” is pre-entered.

Mailto-Link LiveHacking — The link at the bottom left of the browser shows us which fields of the email are pre-entered. In this case, only the recipient is pre-entered.

Danger from undetected attachments

So far we have primarily looked at the advantages of such mailto links, but as the RUB researchers have discovered, dangers arise from the fact that these links can automatically add attachments to an email. Users who use a mailto link rarely expect a file to be automatically added as an attachment by their own system. This attachment can be easily overlooked and sensitive documents can be sent.

The researchers have narrowed this threat down to 3 different security levels. Level 1 (E1) means that the email program used does not allow attachments to be added via a mailto link, so these email programs are protected against this attack.

The 2nd level (E2) stands for email programs that allow to attach files from the local device to an email via mailto link, but a hint is displayed for hidden files, so that the user can see when the mailto link accesses hidden files.

The most dangerous classification, namely the 3rd level (E3) allows all files to be attached without a hint or anything else warning the user of this action. Out of 20 tested email programs, 3 were classified with the most dangerous category and one with the E2 category. It is noticeable that among the 3 programs categorized with E3 is also Thunderbird, which is one of the most popular email programs.

Mailto links are not the only danger in email programs

In addition to the danger of undiscovered attachments described above, the researchers have discovered two other dangers that are contained in some email programs. The first attack was named by the authors as A1: Key replacement. In this attack, certificates used for secure signatures are partially downloaded automatically by the email client.

This was the case in 6 of the 20 programs tested, so that the communication through these email programs can be recorded by a man-in-the-middle attack and thus signatures can be stolen and used for criminal activities.

The last attack analyzed by the group from Bochum is about a S/MIME or PGP signature being stolen. To get this signature a mailto link is used again, which is manipulated in a way that the email program interprets it as a valid PGP message of a communication partner and decrypts it afterwards. For this attack, 6 of the 20 email programs were vulnerable, 3 of which were classified with the most vulnerable level O3.