Over 30 Popular Email Clients Vulnerable to MailSploit Attacks

Security researcher Sabri Haddouche has discovered a series of vulnerabilities collectively known as MailSploit, which allow malicious emails to bypass anti-spoofing protections. These vulnerabilities affect 33 popular email clients, including Apple Mail (macOS, iOS, and watchOS), Mozilla Thunderbird, several Microsoft email clients, Yahoo Mail, ProtonMail, and others.

How MailSploit Works

Although most email clients implement anti-spoofing mechanisms such as DKIM and DMARC, MailSploit enables attackers to bypass these protections by exploiting the way email clients and web interfaces parse the sender field. To demonstrate the attack, Haddouche created a payload by encoding invisible characters in the email header, successfully sending a fake email that appeared to come from the official address of the President of the United States.

“By using combinations of control characters, such as new lines or null bytes, it’s possible to hide or remove part of the original sender’s domain,” the researcher explained.

Additional Vulnerabilities

In addition to spoofing, Haddouche also found that some email clients—including Hushmail, Open Mailbox, Spark, and Airmail—are vulnerable to XSS (Cross-Site Scripting) attacks.

Response from Developers

Haddouche notified the developers of all 33 affected email clients. Eight of them have already fixed the issues in their products, and another twelve are currently working on patches. The full list of vulnerable email clients can be found here.

Video Demonstration

A video demonstrating the vulnerability is available for further details.

What Are DKIM and DMARC?

• DomainKeys Identified Mail (DKIM): An authentication method designed to detect forged messages sent via email.
• Domain-based Message Authentication, Reporting and Conformance (DMARC): A technical specification aimed at reducing spam and phishing emails by identifying sender domains based on rules and characteristics set on the recipient’s mail server.