Listen to this Post
The vulnerability exists in how Tutanota processes contact data within the Mithril.js framework. User-controlled input from imported contact fields is improperly sanitized before being passed to Mithril’s `m()` hyperscript function, which creates virtual DOM nodes. An attacker can craft a contact field value containing closing square brackets and new attribute declarations, such as ][href=https://attacker.com][style=position:fixed;top:0;left:0;width:100vw;height:100vh;opacity:0;]. This payload prematurely closes the intended selector and injects malicious `href` and `style` attributes. When Mithril processes this selector string, it interprets the injected attributes as legitimate parts of the hypertext command, rendering a transparent, full-screen link that hijacks all user clicks.
Platform: Tutanota
Version: Pre-commit e28345f
Vulnerability: DOM Manipulation
Severity: Medium
Date: 2024-03-26
Prediction: 2024-04-02
What Undercode Say:
Simulating payload inspection
echo "Malicious Contact Snippet:" && cat malicious_contact.vcf
Example payload in context (simplified)
echo 'm("a", {href: "", "Contact Website"}, "][href=https://ddg.gg][style=position:fixed;width:150vw;height:200vh;]")'
// Hypothetical vulnerable code pattern
function renderContactField(value) {
// Unsanitized user input flows into m() selector
return m(<code>a[href=""][="Website"]</code>, value);
}
How Exploit:
- Create a VCF contact file with a crafted field value (e.g., website URL).
- The payload closes the original `a` tag selector and adds new attributes.
- Import this contact into an unpatched Tutanota client.
- When the victim views the malicious contact, a transparent, page-covering link is rendered.
- Any click redirects the victim to the attacker’s specified URL.
Protection from this CVE:
Apply the official patch from commit `tutao/tutanota@e28345f`.
Strictly validate and sanitize all user-supplied contact data before DOM integration.
Implement a Content Security Policy (CSP) to restrict unauthorized navigation.
Impact:
UI Redressing and Clickjacking leading to forced navigation. JavaScript execution is prevented by CSP.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

