Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

From Subject Received…What?

August 2018 by Forcepoint

In the course of our routine operations we noticed an interesting looking domain being queried infrequently, but from users across most of the globe. Further investigation revealed that the traffic appears to be the result of an unusual interaction between two widely used applications.

Drag & Drop

Since some of the earliest modern graphical operating systems (OS), drag and drop has been a fundamental feature providing a naturalistic way to interact with the OS and share data between applications.

For example, dragging a picture from your documents folder and dropping it right into a photo editor is usually a more convenient way than navigating to the menu bar of the editor and through the ‘Open File’ dialog or memorizing a keyboard shortcut.

Unsurprisingly, drag-and-drop quite quickly became second nature for users. Of course, mistakes happen and sometimes applications can do unexpected things when faced with data they don’t understand.

Email, meet browser

Microsoft Outlook should need little introduction for most readers. As an email client used by millions all around the world, its primary use for drag and drop as a feature (to or from external programs, at least) is adding attachments to emails or saving them to a specific location. Dragging emails themselves – as opposed to attachments – from Outlook is perhaps a little unusual, especially when the receiving application is a web browser.

These days we have the luxury of picking from a wide selection of browsers: Chrome, Firefox, Edge, Safari, Vivaldi, Opera, you name it. Most won’t generally allow you to drop anything onto their main window area: the only place you are allowed to drop anything is either the address/search bar or a designated drag-and-drop area on a web app for uploading files – and in some cases that is still browser dependant.

In those that allow it, if you drop an email from Outlook into the address/search bar, you will see something like this:

From Subject Received Size Categories John Doe test 7/25/2018 67 KB

In our case John Doe is the sender and ‘test’ is the subject of the email, indicating that Outlook effectively passed over the name of the columns along with additional email properties. Not exactly a useful outcome for the average user.

fromsubjectreceivedsizecategories

There is one exception to the above and that is Firefox. Firefox does allow one to complete the dropping operation over the main window area - which is also considerably larger compared to those input fields. There is an unfortunate side effect to this: all those email properties are concatenated, converted into a URL and the result (www.fromsubjectreceivedsizecategories[.]com) will be opened automatically in a new tab.

It seems likely that most drags-and-drops of emails into browser windows are unintentional, perhaps by users attempting to drag an email to a folder in Windows Explorer and ‘missing’ the correct window. Either way, this result is likely to be a rather unfortunate surprise.

What about different languages?

The URL showcased above was the result of someone doing the drag and drop while Outlook’s display language is set to English. As the names of the various columns in Outlook match the display language set in options, if we modify that, the resulting URL will also change accordingly. This means the URL is localised and there are as many domains as display languages supported by Outlook.

We have verified the domains associated with a total of 16 different languages, based on the top content languages for websites and by top languages used by internet users. So far only the English one was registered; the rest are either up for grabs or throwing an error in Firefox and thus cannot be opened.

Note that many of these may show up in logs as their Punycode equivalent.

Language
Standard URL
Registered
English
www. Fromsubjectreceivedsizecategories .com
Yes
German
Vonbetrefferhaltengrößekategorien .com
No
French
www. deobjetreçutaillecatégories .com
No
Italian
www. Daoggettoricevutodimensionecategorie .com
No
Dutch
www. Vanonderwerpontvangengroottecategorieën .com
No
Portuguese
www. Deassuntorecebidotamanhocategorias .com
No
Spanish
www. Deasuntorecibidotamañocategorías .com
No
Russian
www. ????????????????????????????? .com
No
Czech
www. Odp?edm?tp?ijatovelikostkategorie .com
No
Polish
www. Odtematotrzymanorozmiarkategorie .com
No
Turkish
Resulted in error in Firefox
N/A
Persian
Resulted in error in Firefox
N/A
Arabic
Resulted in error in Firefox
N/A
Korean
Resulted in error in Firefox
N/A
Chinese (simplified)
www .????????????? .com
No
Chinese (traditional)
www. ????????????? .com
No
Japanese
www. ???????????????? .com
No

The English landing page is currently being used as a redirect to other malicious content and scam sites. Depending on the browser’s user agent, a cryptocurrency or Apple flavoured scam will be served. After multiple tries, we were also presented an empty page offering the domain for sale.

The example above shows one of the possible redirects, this time resulting in an Ethereum scam site.

Other email clients

After testing with some popular alternative Windows email clients, the most we could get them to do was passing over a URL previously selected in an email or displaying the whole email body after receiving it as an EML object. We noticed no similar auto-open behaviour with any other email client and browser combination.

How long this been an issue with Firefox?

Our investigation led us to an old discussion from 2007 about unusual behaviour between Outlook and Firefox, suggesting that this bug has been present in the software for quite some time.

We contacted Mozilla to make sure they are aware and a fix is in the works, as it doesn’t appear that this bug was raised with them until early 2018. We have confirmed that the upcoming ESR 60.2 and 62 versions of Firefox (scheduled for release in early September) have a resolution in place for this issue.

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

Stage 2 (Unsolicited Content) – Attempts to access the associated URLs are blocked.

Conclusion

Unusually, what we are dealing with here is not the result of spammed out emails, spear phishing or malicious attachments, but using a basic feature of an operating system for transferring data between two widely used 3rd party applications.

The action involved may be considered something of an edge case (at least when performed deliberately), but mistakes happen and, in this case, can leave you at the mercy of the content on some unexpected URLs.

Ultimately, this goes to show how easy certain use cases are to miss during testing. Naturally, we would advise companies to do some basic sanity checking about how their applications behave with drag and drop operations - on both the submitting and receiving end of data, but also that users be vigilant with what they drag and drop.

Finally, in light of the surprisingly long time between the apparent discovery of this issue and the bug being logged with Mozilla, we would also like to encourage everyone to raise such issues with vendors as they are discovered – it’s not always easy to predict the security ramifications of even relatively minor bugs.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts