Back to Community Threads
4
Downloadable attachments in webmail without login to email account
Problem reported by Endr - 2/23/2022 at 10:27 AM
Submitted
Hi

We have got a notification from google about "Malicious or unwanted software detected" on our mail server.
After our investigation we saw that all attachments in webmail can be downloaded without login to that email account.
So anyone who knows the attachment url can download that attachment without login to that email.
Because file url is generated only one time. It is static url, if you keep the email in same folder.
As much as we see there is no session control on that download link. (Not file share app, just attachment in webmail)

You can try those steps;
-Send an email to your mail address with a file.
-Right click the attachment and copy the url
-logout from that email account
-In different browser or private mode paste the url
It is downloadable.


It comes to us it is like a security issue.
Also those urls are tracked by chrome browsers and some antivirus programs reports malicious file urls to google safe program.
If it is not moved for a period of time google flag that page as unsafe and after that no one can download file from webmail. 

Have you ever faced that kind of problem? If yes how did you solve it.

Thank you

2 Replies

Reply to Thread
0
Gabriele Maoret - SERSIS Replied
2/23/2022 at 1:02 PM
+1
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
2
Matt Petty Replied
2/23/2022 at 2:41 PM
Employee Post
The URL's generated by your server are unique to your server and encrypted with a per-server key. There is NO way for someone outside of your server to find out what URL's (or generate new URLS) they can use to download things. If you are using HTTPS the url can not be sniffed. The only way for something to find the URL's is to run locally within the browser or something malicious running on the server itself. In either of those two cases, changing how we download something wouldn't change those attack vectors. The real crappy hard to address issue here is the inability to control Google's grabby little hands on any piece of private information they can get their hands on despite us issuing the required Headers and endpoints that should dissuade them from accessing/indexing this information in the first place.

But I agree this is still kind of a security issue, just a very specific one that can't be abused. Maybe we could investigate doing stuff with cookies, expiring the download link after a couple hours, requiring 2 calls to download an object (send a auth request and get a temporary download link), downloading the data via an authed POST request then combine the data in browser and download that version of the file. Many of these come with some drawbacks, tons of browser memory when downloading things, tab crashes on large objects, inefficient downloads, and bad links when a user tries to download from webmail after being on the page for a long time (laptops waking up). But among this there is likely a better solution.

EDIT: Many links in the product are generated this same way. The gal and contact images, file storage, downloads from workspaces, and soon attachments on calendars, tasks, contacts, and notes.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
Back to Community Threads

Reply to Thread

Enter the verification text

Related Knowledge Base Articles

Google Safe Browsing Warning and SmarterMailSmarterMail > Troubleshooting
Setting Up Two-Step Authentication (2FA, MFA, etc.)SmarterMail > Desktop and Mobile Synchronization
Configure IMAP on iPhone or iPadSmarterMail > Desktop and Mobile Synchronization
Cannot Add Attachments Using the SmarterMail Web InterfaceSmarterMail > Troubleshooting
Import/Export a PST File Using OutlookSmarterMail > Desktop and Mobile Synchronization