1. gizmo21's Avatar
    @LiamQ @mrbbsecurity @max-bb

    BlackBerry are you aware of the mailsploit vulnerability where mailapps show a wrong sender adress?


    Seem Hub is not in the list for now:

    So I tried it and it seems some of the variants also affect BlackBerry Hub:

    Best version seems to be Mozilla variant.
    You can't see any bad details in mail-view and if you copy the adress "=?utf-8?b?QkJIdWJfZXhwbG9pdGVkX2J5X3BvdHVzQHdoaXRlaG91c2 UuZ292?==?utf-8?Q?=0A=00?=@mailsploit.com"
    and put it into the to: field it converts to my spoofed:
    Last edited by gizmo21; 12-06-17 at 11:35 PM.
    12-06-17 10:33 PM
  2. gizmo21's Avatar
    The problem with Hub UI in general is that it is made difficult to really see spoofed mailadresses in from-field as much info is just ignored and left out:
    - the line is cut
    - "real" sender adress only after pressing the from line
    - no way to see full headers with all plaintext info like fully plaintext from-field, return-path, recieved, x-spam, message-id...
    - there is no source-view for knowledged people to see the complete mail
    Last edited by gizmo21; 12-06-17 at 11:29 PM.
    sebstarr and danatnr like this.
    12-06-17 11:03 PM
  3. max-bb's Avatar
    We are investigating to see if we are vulnerable to any of the encoding bugs described.
    @gizmo21 We can't show the source-view, because we don't have it and don't store it. Exchange ActiveSync, for example, doesn't actually send headers.
    12-07-17 09:23 AM
  4. LiamQ's Avatar
    We're having some internal debate about whether it's a real issue for Hub when tapping the sender icon shows the correct email address.
    12-07-17 09:42 AM
  5. max-bb's Avatar
    Okay, the researcher is actually describing two separate issues:

    1) Smuggling bad characters or @ signs in the localpart of an email address: =?... @whatever.com, with no friendly name.
    2) Smugging things that look like email addresses in the Real Name/Friendly Name part.

    For #1 it looks like we have a small issue. The hub list view isn't fooled, but the email card shows some false information. However, the real email address is still visible by holding on the name, just as you would if there was a Friendly Name there. The real email address here is clearly weird.

    For #2 : The design of the friendly name part is that anything can be displayed there, however a user could believe the name "pres@whitehouse.gov" is the email address <pres@whitehouse.gov>. However, again, the real email address is shown when holding on the name part.

    In either case, the real information is visible by holding on the from.

    We plan on addressing #1 in a future release. We are discussing what we can do about #2 , since there is no actual exploit here, just user confusion.

    Android Hub partly vulnerable by mailsploit-screenshot_20171207-110804.png
    12-07-17 10:22 AM
  6. gizmo21's Avatar
    thx all for responding and even let us be part of your internal research
    12-07-17 10:34 AM
  7. gizmo21's Avatar
    @gizmo21 We can't show the source-view, because we don't have it and don't store it. Exchange ActiveSync, for example, doesn't actually send headers.
    Well I'm not too deep into mailing protocol with EAS on external clients but my work outlook connected to Exchange shows me all headers. And for imap/pop accounts it is possible on mobile clients too, see K9.

    Is there really no Android EAS Client that could show me the headers like the "Recieved"-route or reply-to field?

    Received: from [IPXXX] (helo=host)by host.com with esmtp (Exim 4.89)(envelope-from <edmail>)id 1eMiRR8888888Nd; Wed, 06 Dec 2017 23:45:25 +0100
    Return-path: <return-path@e>
    X-Envelope-to: emailadress
    Content-Language: en-EN
    X-MS-Exchange-Organization-AuthSource: host.com
    X-MS-Has-Attach: X-MS-TNEF-Correlator:
    x-info-policy: ignored by hhhh; recipient=<email>
    x-spam-flag: NO
    x-spam-level: x-virus-scanned: amavisd-new at host
    x-spam-checker-version: SpamAssassin 3.4.1 (date) on
    Last edited by gizmo21; 12-08-17 at 02:39 AM.
    12-08-17 12:19 AM
  8. max-bb's Avatar
    Outlook is not an EAS client.

    I'm not saying it's impossible, I'm saying we don't store the headers, nor even fetch them all (to save bandwidth), so we can't just show them cause we don't have them. We'd have to fetch them again to show them to you.
    gizmo21 likes this.
    12-08-17 07:55 AM
  9. gizmo21's Avatar
    OK I understand. I know 99% of the users don't care and won't know what to do with it but for those that know and use mail in professional environment it is quite important especially in those cases where one is unsure if mail is real or fake. But I guess that is a cost-value problem.


    One last thing I want tip here on shortcomings in mail view UI/UX is the strange behaviour on trying to COPY mailaddresses out of the RECIPIENT field:

    12-08-17 08:51 AM

Similar Threads

  1. Hub Updates
    By DroidBerryGuy in forum BlackBerry HUB+ Suite
    Replies: 12
    Last Post: 12-08-17, 01:06 PM
  2. Attn: Android Developers - Pet Peeve - Flash file dates
    By C_McD in forum BlackBerry KEYone
    Replies: 3
    Last Post: 12-08-17, 08:45 AM
  3. browsers on android
    By Adamsinger77 in forum Android Apps
    Replies: 13
    Last Post: 12-07-17, 10:59 PM