Please disable your adblock and script blockers to view this page

Decades-Old Email Flaws Could Let Attackers Mask Their Identities

Domain-Based Message Authentication
the University of California, Berkeley
the International Computer Science Institute
Shape Security."Even
a Message-ID
Microsoft Outlook
Yahoo Mail
Condé Nast
Affiliate Partnerships

Lily Hay NewmanTo
Vern Paxson
Jianjun Chen
Jian Jiang

No matching tags

No matching tags



No matching tags

Positivity     38.00%   
   Negativity   62.00%
The New York Times
Write a review: Wired

Those industry-standard "headers," as they're known, include date and time sent and received, language, a unique identifier called a Message-ID, and routing information.The researchers found that by strategically manipulating different header fields they can produce different types of attacks, all of which can be used to deceive the person on the other end of an email. Those sorts of incongruities create openings for attackers to set up strategic email domains or manipulate message headers to pose as someone else.The second category focuses on manipulating similar inconsistencies, but between the mail server that receives your message and the app that actually displays it to you. Depending on where the email service lands on that spectrum—and how the mail client is configured—attackers can game this progression to send emails that look like they came from a different address than they really did.The researchers call the third category "ambiguous replay," because it includes different methods of hijacking and repurposing (or replaying) a legitimate email an attacker has received. That bit of misdirection makes it look like the attacker's message came from the original, legitimate sender and has been fully authenticated.Though most people use their email accounts without ever checking what's in all of these hidden headers, email services provide the option.

As said here by Wired