Top open source email platform hacked to steal user details

Roundcube is being exploited to target government firms

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are abusing a vulnerability in the Roundcube Webmail to steal emails and other sensitive data, new reports have claimed.

Cybersecurity experts from Positive Technologies sounded the alarm, saying the popularemail clientcarries a flaw that is being actively exploited against government organizations in the Commonwealth of Independent States (CIS) region (former Soviet Union).

Roundcube Webmail is a popular browser-based email client with a user-friendly interface that mimics the look and feel of a desktop application. It supports standard email protocols like IMAP and SMTP, and offers features such as message search, contact management, and plugin customization.

Hiding with HTML

The bug is tracked as CVE-2024-37383, and described as a medium-severity stored cross-site scripting (XSS) flaw, allowing the execution of malicious JavaScript on the Roundcube page.

To trigger the vulnerability, the crooks would draft and send a unique email. The email’s body appears empty, and only comes with a .DOC attachment. But the attackers would hide harmful code in the email using specific HTML tags (in this case, the tag), which is processed by the email client, while being invisible to the target user.

Thepayloadis a piece of JavaScript code masquerading as a ‘href’ value. It downloads a decoy .DOC file, while injecting an unauthorized login form into the HTML page, which requests messages from the mail server. The form prompts the victim for their username and password, which are then relayed to the attackers.

All versions up to 1.5.6, as well as versions between 1.6 and 1.6.6. were said to be vulnerable to the flaw. Versions 1.5.7 and 1.6.7, released on May 19, are the earliest ones to have addressed the bug, and users are advised to upgrade their clients as soon as possible.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

GoPro Max 2 hit by further delays – 2025 is the earliest we’ll see the 360-degree action cam