This vulnerability was verified in versions 3.20 and 3.21 of the software. While testing Canary Mail with the IMAP STARTTLS setting, CENSUS found that the iOS and MacOS versions of the software would happily connect to a fake IMAP service introduced by a man-in-the-middle attacker, as they performed no certificate validation. A patch for the library is publicly available, however this has not been incorporated yet into an official library release.ĬENSUS performed a functional security test to a number of mail clients, looking for possible vulnerabilities related to man-in-the-middle attacks. The same vulnerability also affects other software that are based on the MailCore2 library (including version 0.6.4). According to the results of the Google Safe Browsing check, the developer's site is safe. This free Mac app was originally designed by Mailr Tech LLP. We cannot confirm if there is a free download of this app available. CENSUS strongly recommends to iOS and MacOS users of the Canary Mail software to update to version 3.22, as this version carries a fix for the aforementioned vulnerability. Description Downloading Canary Mail 3.62 for Mac from the developer's website was possible when we last checked. This vulnerability allows man-in-the-middle attackers to collect a victim user's email credentials (while these are communicated to the IMAP service), to access email messages and perform other IMAP actions to the victim account, but also to modify email messages while in-transit to Canary Mail. Improper Certificate Validation ( CWE-295)ĬENSUS identified that the Canary Mail software in versions 3.20 and 3.21 (and possibly previous versions) is missing a certificate validation check when performing an IMAP connection configured with STARTTLS. Canary Mail and MailCore2 library missing certificate validation check on IMAP STARTTLS CENSUS ID:Ĭanary Mail for iOS and MacOS versions 3.20 and 3.21, MailCore2 library version 0.6.4
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |