Unfixed bug in RainLoop Webmail could give hackers access to all emails

An unpatched high-severity security flaw has been revealed in the open-source webmail client RainLoop that may be weaponized to siphon emails from victims’ inboxes.

“The vulnerability of the code […] can be easily exploited by an attacker sending a malicious email to a victim using RainLoop as an email client,” Simon Scannell, security researcher at SonarSource mentioned in a report published this week.

“When the email is viewed by the victim, the attacker takes full control of the victim’s session and can steal any of their emails, including those containing highly sensitive information such as passwords, documents, and password reset links.”

cyber security

Tracked as CVE-2022-29360, the flaw relates to a stored cross-site-scripting (XSS) vulnerability impacting the latest version of RainLoop (v1.16.0) which was released on May 7, 2021.

Stored XSS flaws, also known as persistent XSS, occur when a malicious script is injected directly into the server of a target web application by means of user input (e.g. a comment field) that is stored permanently in a database and is then served to other users.

Impacting all installations of RainLoop running under default configurations, attack chains exploiting the flaw could take the form of a specially crafted email sent to potential victims which, when viewed, executes a JavaScript payload malware in the browser without requiring any user interaction.

cyber security

SonarSource, in its disclosure timeline, said it notified RainLoop maintainers of the bug on Nov. 30, 2021, and that the software maker hadn’t released a fix for more than four months.

A publish raised on GitHub by the Swiss Code Quality and Security Society on December 6, 2021, remains open to date. We’ve reached out to RainLoop for comment, and we’ll update the story if we get back to you.

In the absence of patches, SonarSource recommends users migrate to a RainLoop fork called SnappyMailwhich is actively maintained and unaffected by the security issue.