Downloadable attachments in webmail without login to email account
Problem reported by Endr - 2/23/2022 at 10:27 AM

We have got a notification from google about "Malicious or unwanted software detected" on our mail server.
After our investigation we saw that all attachments in webmail can be downloaded without login to that email account.
So anyone who knows the attachment url can download that attachment without login to that email.
Because file url is generated only one time. It is static url, if you keep the email in same folder.
As much as we see there is no session control on that download link. (Not file share app, just attachment in webmail)

You can try those steps;
-Send an email to your mail address with a file.
-Right click the attachment and copy the url
-logout from that email account
-In different browser or private mode paste the url
It is downloadable.

It comes to us it is like a security issue.
Also those urls are tracked by chrome browsers and some antivirus programs reports malicious file urls to google safe program.
If it is not moved for a period of time google flag that page as unsafe and after that no one can download file from webmail. 

Have you ever faced that kind of problem? If yes how did you solve it.

Thank you

2 Replies

Reply to Thread
Gabriele Maoret - SERSIS Replied
Gabriele Maoret - Head of SysAdmins at SERSIS
Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
Matt Petty Replied
Employee Post
The URL's generated by your server are unique to your server and encrypted with a per-server key. There is NO way for someone outside of your server to find out what URL's (or generate new URLS) they can use to download things. If you are using HTTPS the url can not be sniffed. The only way for something to find the URL's is to run locally within the browser or something malicious running on the server itself. In either of those two cases, changing how we download something wouldn't change those attack vectors. The real crappy hard to address issue here is the inability to control Google's grabby little hands on any piece of private information they can get their hands on despite us issuing the required Headers and endpoints that should dissuade them from accessing/indexing this information in the first place.

But I agree this is still kind of a security issue, just a very specific one that can't be abused. Maybe we could investigate doing stuff with cookies, expiring the download link after a couple hours, requiring 2 calls to download an object (send a auth request and get a temporary download link), downloading the data via an authed POST request then combine the data in browser and download that version of the file. Many of these come with some drawbacks, tons of browser memory when downloading things, tab crashes on large objects, inefficient downloads, and bad links when a user tries to download from webmail after being on the page for a long time (laptops waking up). But among this there is likely a better solution.

EDIT: Many links in the product are generated this same way. The gal and contact images, file storage, downloads from workspaces, and soon attachments on calendars, tasks, contacts, and notes.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278

Reply to Thread