You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication

Presented at Black Hat USA 2020 Virtual, Aug. 6, 2020, 2:30 p.m. (40 minutes).

Our study demonstrates an unfortunate fact that even a conscientious security professional using a state-of-the-art email provider service like Gmail cannot with confidence readily determine, when receiving an email, whether it is forged. <br /> <br /> We identified 18 types of attacks to bypass email sender authentication (including SPF, DKIM, and DMARC). Leveraging those techniques, an attacker can impersonate arbitrary senders without breaking authentication and even forge DKIM-signed emails with a legitimate site's signature. We evaluated our attacks against 10 popular email providers (e.g., Gmail.com, iCloud.com) and 19 email clients (e.g., Outlook, Thunderbird), and found all of them proved vulnerable to various attacks. We reported our findings to the affected vendors, who rewarded our report and are actively addressing them. <br /> <br /> The root cause of the problem lies in insecure composition, a rising threat in today's distributed systems. The techniques we developed can be applied to identify similar vulnerabilities in other systems. We will make our testing tool publicly available via GitHub to aid the community in securing additional email systems.

Presenters:

  • Jian Jiang - Senior Director of Engineering, Shape Security
    <span>Jian Jiang is the senior director of engineering at Shape Security (part of F5). He is interested in looking at security problems in real-world environments and developing practical solutions. He has done security research around Internet systems/protocols such as DNS, CDN, and HTTP. </span>
  • Vern Paxson - Professor, Co-Founder, UC Berkeley, Corelight
    Vern Paxson is Co-Founder and Chief Scientist at Corelight, and Professor of Computer Science at the University of California, Berkeley. He also leads the Networking and Security Group at the International Computer Science Institute in Berkeley, California. His wide-ranging research interests include Internet measurement, high-performance network monitoring, detection algorithms, and combatting cybercrime, censorship, and abusive surveillance.
  • Jianjun Chen - Postdoc Researcher, International Computer Science Institute
    Jianjun Chen is a Postdoc Researcher at International Computer Science Institute (ICSI), an independent non-profit research institute affiliated with the University of California, Berkeley. His research focuses on studying real-world systems to understand their security challenges, such as security issues in CDN, HTTP implementations, web browsers, and email systems. His previous research has been recognized by the top-tier academic security conferences (e.g., NDSS, ACM CCS, USENIX Security) and led to some real-world security pushes, such as patches in popular HTTP implementations (e.g., Squid, Chrome, Firefox ), security advisories by industrial companies (e.g., Akamai, Cloudflare, Apple), web standard change, and a new IETF RFC (RFC 8586).

Links:

Similar Presentations: