STARTTLS Flaws in Email Clients Let Hackers Steak The Credentials From Apple Mail, Gmail, Mozilla Thunderbird

Nearly 40 different vulnerabilities were exposed lately by security researchers that are correlated with an opportunistic encryption mechanism in mail clients and servers.

These servers could open the gateway to targeted man-in-the-middle (MitM) attacks, enabling an attackers to trick the mailbox contents and to steal all the important credentials.

The experts have detected the flaw as STARTTLS in this list of flaws, however, this flaw has been analyzed by a bunch of security researchers in the 30th USENIX Security Symposium:- 

  • Fabian Ising
  • Damian Poddebniak
  • Hanno Bock
  • Sebastian Schinzel 

In an analysis of the Internet conducted during the study, 320,000 email servers were found to be vulnerable to what is called a command injection attack.


The security researchers have mentioned the attacks that were initiated in the flaws, that are given below:-

  1. Stealing Login Credentials with SMTP and IMAP via Command Injection
  2. Mailbox content forgery via Response Injection
  3. IMAP connection downgrade via PREAUTH and credential-stealing with REFERRAL

Affected Email clients

After investigating the flaw, the security experts have detected 320,000 vulnerable email servers in an Internet-wide scan. Not only this but they have also conveyed a coordinated revelation concerning various CERTs. 

So, it is quite unachievable to notify and to keep a track of the update method of all mail service providers that are available on the Internet. 

That’s why they have identified and prioritized all popular mail service providers, thus the experts have suggested the list of email clients that are affected by these flaws, and here we have mentioned them below:-

  • Apple Mail 
  • Mozilla Thunderbird
  • Claws Mail
  • Mutt
  • Evolution
  • LibEtPan 
  • Exim
  • Gmail
  • Yandex
  • PHP
  • Samsung Email
  • Alpine
  • Trojitá
  • KMail
  • Sylpheed
  • OfflineIMAP
  • GMX / Mail Collector
  • Outlook
  • Geary
  • Ruby Net
  • Balsa
  • Nemesis
  • Yahoo
  • s/qmail
  • Coremail
  • Citadel
  • recvmail
  • Gordano GMS
  • SmarterMail
  • Burp Collaborator
  • Dovecot
  • Mercury/32
  • QMail Toaster
  • Courier
  • IPswitch IMail


The security experts have mentioned some of the recommendations, and that’s why here we have listed them below:-

  • For Email Client Users: Every user must check and configure their email customers to utilize SMTP, POP3, and IMAP with implicit TLS on dedicated ports, i.e., SMTP/Submission on port 465, POP3 on port 995, and IMAP on port 993.
  • For Application Developers: Auditing all applications will help STARTTLS in both the server and the client-side for the bugs that have been discovered. Not only this but all the applications are required to guarantee that no unencrypted content gets treated as part of an encrypted connection.

Apart from this, all the vulnerabilities that are detected have been described in the transition of an unstable connection to a strong connection. Implicit TLS does not have such a transformation and therefore it is not vulnerable to any of these attacks.

Also Read: Top 10 Email Security Solutions to Thwart Spam and Phishing Attacks

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.