Hackers Utilize Roundcube Webmail XSS Flaw to Obtain Login Information

Oct 20, 2024Ravie LakshmananVulnerability / Email Security

Unidentified attackers have been seen exploiting a now-fixed security vulnerability in the open-source Roundcube webmail software to perpetrate a phishing campaign aimed at stealing user

Oct 20, 2024Ravie LakshmananVulnerability / Email Security

Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials

Unidentified attackers have been seen exploiting a now-fixed security vulnerability in the open-source Roundcube webmail software to perpetrate a phishing campaign aimed at stealing user login credentials.

A report by Russian cybersecurity firm Positive Technologies revealed that a suspicious email was sent to an unspecified governmental organization in one of the Commonwealth of Independent States (CIS) nations. Notably, the email was initially dispatched in June 2024.

“The email seemed to be a message void of any text, featuring just an enclosed document,” as described in an analysis released earlier this week by the company.

“Nevertheless, the recipient’s email client failed to display the attachment. The email body bore distinctive tags with the eval(atob(…)) statement, which decodes and executes JavaScript code.”

The attack procedure, according to Positive Technologies, involves exploiting CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) weakness through SVG animate attributes, facilitating the execution of arbitrary JavaScript within the victim’s web browser environment.

In simpler terms, an external attacker could inject arbitrary JavaScript code and retrieve sensitive data by enticing an email recipient to open a specially crafted message. The problem has been addressed in versions 1.5.7 and 1.6.7 of Roundcube as of May 2024.

“By embedding JavaScript code as the value for ‘href’, we can execute it on the Roundcube page whenever a Roundcube client views a suspicious email,” Positive Technologies explained.

The JavaScript script, in this instance, stores the empty Microsoft Word attachment (“Road map.docx”), retrieves messages from the mail server using the ManageSieve plugin, and presents a fake login form in the HTML document shown to the user in an attempt to deceive individuals into disclosing their Roundcube login details.

In the final phase, the gathered username and password details are transmitted to an external server (” libcdn[.]org“) hosted on Cloudflare.

The responsible party behind the exploitation activity is currently unknown, though previous vulnerabilities found in Roundcube have been exploited by several hacking factions like APT28, Winter Vivern, and TAG-70.

“Despite Roundcube webmail not being the most prevalent email client, it continues to be a target for cyber assailants because of its extensive adoption by government entities,” the company noted. “Breaches targeting this software can lead to significant repercussions, enabling malicious agents to pilfer confidential data.”

Found this article captivating? Follow us on Twitter and LinkedIn to explore more exclusive content we publish.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts