From Subject Received…What?
In the course of our routine operations we noticed an interesting looking domain being queried infrequently, but from users across most of the globe. Further investigation revealed that the traffic appears to be the result of an unusual interaction between two widely used applications.
[UPDATE: Aug 22, 2018]
Mozilla has assigned CVE-2018-12381 to this bug.
Details of Mozilla Firefox security advisories, whether for the Release channel or ESR channel, are available at: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/
[UPDATE: Sep 7, 2018]
Mozilla has made a fix available for CVE-2018-12381 in the Firefox 62 and Firefox ESR 60.2 channels.
Drag & Drop
Since some of the earliest modern graphical operating systems (OS), drag and drop has been a fundamental feature providing a naturalistic way to interact with the OS and share data between applications.
For example, dragging a picture from your documents folder and dropping it right into a photo editor is usually a more convenient way than navigating to the menu bar of the editor and through the ‘Open File’ dialog or memorizing a keyboard shortcut.
Unsurprisingly, drag-and-drop quite quickly became second nature for users. Of course, mistakes happen and sometimes applications can do unexpected things when faced with data they don’t understand.
Email, meet browser
Microsoft Outlook should need little introduction for most readers. As an email client used by millions all around the world, its primary use for drag and drop as a feature (to or from external programs, at least) is adding attachments to emails or saving them to a specific location. Dragging emails themselves – as opposed to attachments – from Outlook is perhaps a little unusual, especially when the receiving application is a web browser.
These days we have the luxury of picking from a wide selection of browsers: Chrome, Firefox, Edge, Safari, Vivaldi, Opera, you name it. Most won't generally allow you to drop anything onto their main window area: the only place you are allowed to drop anything is either the address/search bar or a designated drag-and-drop area on a web app for uploading files – and in some cases that is still browser dependant.
In those that allow it, if you drop an email from Outlook into the address/search bar, you will see something like this:
From Subject Received Size Categories John Doe test 7/25/2018 67 KB
In our case John Doe is the sender and ‘test’ is the subject of the email, indicating that Outlook effectively passed over the name of the columns along with additional email properties. Not exactly a useful outcome for the average user.
fromsubjectreceivedsizecategories
There is one exception to the above and that is Firefox. Firefox does allow one to complete the dropping operation over the main window area - which is also considerably larger compared to those input fields. There is an unfortunate side effect to this: all those email properties are concatenated, converted into a URL and the result (www.fromsubjectreceivedsizecategories[.]com) will be opened automatically in a new tab.
It seems likely that most drags-and-drops of emails into browser windows are unintentional, perhaps by users attempting to drag an email to a folder in Windows Explorer and ‘missing’ the correct window. Either way, this result is likely to be a rather unfortunate surprise.
What about different languages?
The URL showcased above was the result of someone doing the drag and drop while Outlook's display language is set to English. As the names of the various columns in Outlook match the display language set in options, if we modify that, the resulting URL will also change accordingly. This means the URL is localised and there are as many domains as display languages supported by Outlook.
We have verified the domains associated with a total of 16 different languages, based on the top content languages for websites and by top languages used by internet users. So far only the English one was registered; the rest are either up for grabs or throwing an error in Firefox and thus cannot be opened.
Note that many of these may show up in logs as their Punycode equivalent.
|
Language |
Standard URL |
Registered |
|
English |
www.fromsubjectreceivedsizecategories.com |
Yes |
|
German |
vonbetrefferhaltengrößekategorien.com |
No |
|
French |
www.deobjetreçutaillecatégories.com |
No |
|
Italian |
www.daoggettoricevutodimensionecategorie.com |
No |
|
Dutch |
www.vanonderwerpontvangengroottecategorieën.com |
No |
|
Portuguese |
www.deassuntorecebidotamanhocategorias.com |
No |
|
Spanish |
www.deasuntorecibidotamañocategorías.com |
No |
|
Russian |
www.оттемаполученоразмеркатегории.com |
No |
|
Czech |
www.odpředmětpřijatovelikostkategorie.com |
No |
|
Polish |
www.odtematotrzymanorozmiarkategorie.com |
No |
|
Turkish |
Resulted in error in Firefox |
N/A |
|
Persian |
Resulted in error in Firefox |
N/A |
|
Arabic |
Resulted in error in Firefox |
N/A |
|
Korean |
Resulted in error in Firefox |
N/A |
|
Chinese (simplified) |
www.发件人主题接收时间大小类别.com |
No |
|
Chinese (traditional) |
www.寄件者主旨收到日期大小類別.com |
No |
|
Japanese |
www.差出人件名受信日時サイズ分類項目.com |
No |
The English landing page is currently being used as a redirect to other malicious content and scam sites. Depending on the browser’s user agent, a cryptocurrency or Apple flavoured scam will be served. After multiple tries, we were also presented an empty page offering the domain for sale.
The example above shows one of the possible redirects, this time resulting in an Ethereum scam site.
Other email clients
After testing with some popular alternative Windows email clients, the most we could get them to do was passing over a URL previously selected in an email or displaying the whole email body after receiving it as an EML object. We noticed no similar auto-open behaviour with any other email client and browser combination.
How long this been an issue with Firefox?
Our investigation led us to an old discussion from 2007 about unusual behaviour between Outlook and Firefox, suggesting that this bug has been present in the software for quite some time.
We contacted Mozilla to make sure they are aware and a fix is in the works, as it doesn’t appear that this bug was raised with them until early 2018. We have confirmed that the upcoming ESR 60.2 and 62 versions of Firefox (scheduled for release in early September) have a resolution in place for this issue.
Protection Statement
Forcepoint customers are protected against this threat at the following stages of attack:
Stage 2 (Unsolicited Content) – Attempts to access the associated URLs are blocked.
Conclusion
Unusually, what we are dealing with here is not the result of spammed out emails, spear phishing or malicious attachments, but using a basic feature of an operating system for transferring data between two widely used 3rd party applications.
The action involved may be considered something of an edge case (at least when performed deliberately), but mistakes happen and, in this case, can leave you at the mercy of the content on some unexpected URLs.
Ultimately, this goes to show how easy certain use cases are to miss during testing. Naturally, we would advise companies to do some basic sanity checking about how their applications behave with drag and drop operations - on both the submitting and receiving end of data, but also that users be vigilant with what they drag and drop.
Finally, in light of the surprisingly long time between the apparent discovery of this issue and the bug being logged with Mozilla, we would also like to encourage everyone to raise such issues with vendors as they are discovered – it’s not always easy to predict the security ramifications of even relatively minor bugs.
