Money for old rope? Ropemaker changes your emails AFTER delivery
Money for old rope? Ropemaker changes your emails AFTER delivery

Bringing the dynamic capabilities of the web to email sounds great until you learn that your emails can be changed after they have been delivered, corrupting your records and introducing malicious urls  using the Ropemaker vulnerability which bypasses common security controls and can also fool sophisticated users.

ROPEMAKER is an acronym  for Remotely Originated Postdelivery Email Manipulation Attacks Keeping Email Risky. A report by Mimecast details how the attack works without needing direct access to your PC or your email application to achieve remote control ability, including making emails changeable post-delivery under the control of a malicious actor which is particularly concerning given that email-borne attacks are the most common entry point for attackers.

Discovered by Mimecast ‘s Francisco Ribeiro (@blackthorne), Ropemaker enables an attacker to remotely change the (perceived) content of an email, anytime, postdelivery. Whether it is  a vulnerability which needs to be patched – or misuse of an application which needs to be defended against is up for discussion

Mimecast has issued a paper which explains the origin of Ropemaker, which is described as laying at the intersection of email and Web technologies, such as HTML, Cascading Style Sheets (CSS), and hypertext.  It explains: “While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text based predecessor, this has also introduced an easily exploitable attack vector for email. People commonly expect the content of Web pages to be dynamic - able to change moment-to-moment - but do not expect their email to do so as well. Email in many cases is treated more like a snail mail letter – once sent never changing - whereas Web pages are understood to be more like TV stations with a continuously changing flow of visual, audio, and text content. The techniques behind Ropemaker are thus another potential email-based attack vector that we expect attackers to leverage as they continually evolve from one technique to the next.”

The principle is that Web technologies interoperate over a network so resources housed remotely but linked by a network (including the internet can interoperate, one affecting the execution of the other. So web content/resources can be fetched and reference without the direct control of the local user – which is usually desirable, such as remote Cascading Style Sheets (CSS).  CSS enables the separation of presentation and content, and if the if presenting application supports it, a CSS file can be accessed remotely across the network (eg the Internet). So part of the system is controlled in an untrusted zone, and instead of controlling just the style of the email, the remote CSS can actually control the content of the email.

As an example of malicious use, an attacker could switch the display of an email from using a “good” URL to presenting an “evil” URL,  or could change the “content” (the presentation of this content) of a delivered email, changing “yes” to “no” or “£1” to “£1 million”.