Newly Identified Risks with Horde Web Email

reading time Reading Time: 5 minutes

It’s nearly impossible to veer away from web security and privacy concerns these days, as it’s a pressing issue in the digital world and the frequency with which new hacker attacks are arriving makes this types news as necessary as it is overwhelming. As we discussed in an earlier entry here, hackers are motivated by money, as there’s dirty dollars to be made selling sensitive information acquired from people without their consent, approval, or anything or the sort.

So here we are into the second last month of 2019 and – not surprisingly – another new and urgent software vulnerability is pushing its way to the forefront of what’s new and noteworthy in the world of web hosting. Here at 4GoodHosting, it’s likely that we’re not different from any other good Canadian web hosting provider in that we don’t have the luxury of not paying attention to developments like these, and so here we are again today.

Most of you will be familiar with Horde, as it’s one of the most popular free and open-source web email systems available to consumers these days. In truth, it’s the epitome of what a quality open-source web resource should be, as it’s been very responsibly built and is a good example of what can and should be done to ensure that software does not eventually become exclusive to deep-pocket development businesses.

However, unfortunately it seems that a major security flaw with Horde has been exposed and we believe it’s always best to put users in the know as soon as possible regarding this stuff. We’ll try to go short on the technical stuff, but this vulnerability is related to CVE 2018-19518, an IMAP (Internet Message Access Protocol) and it exists in the ‘imap-open’ function that is used to open an IMAP stream to a mailbox.

Invisible Thieves

In most cases where security is compromised and information or identity theft occurs – both in the digital world and otherwise – there’s more often than not some type of identifiable evidence of an unwelcome guest having been on the ‘premises’. Not so here, as a prominent web security researcher claims they’ve detected several vulnerabilities in the popular open-source Horde web email software that allow hackers to steal the contents of a victim’s inbox, and do so nearly invisibly.

Now for those of you who are in fact unfamiliar with it, Horde is one of the most popular free and open-source web email systems available. It’s built and maintained by a core team of developers, with contributions from the wider open-source community. It’s popularity has grown in leaps and bounds over the last couple of years, and is actually the default email client that is used by a good many universities, libraries and many web hosting providers themselves.

According to the report, these vulnerabilities with Horde were first seen in May. How the hackers gets ‘in’ is by scraping and download a victim’s entire inbox. Now most you will be saying ‘surely that’s not possible with all the protective measures and security checks in place these days’, and you’d be right – provided the door wasn’t opened for them.

That’s how this Horde security flaw is taken advantage of. The hacker tricks the user into clicking a malicious link in an email. Once that click is made, the inbox is quickly and thoroughly downloaded to the attacker’s server.

What could happen next likely doesn’t need a whole lot of explanation. Any valuable information contained in any of the communications contained in that inbox is there for the taking. Given how many of us have sensitive information like banking and other types contained in email communications, this risk doesn’t need to be amplified any more than it already is.

Known Culprits

Earlier this year there were over 3,000 firewalls hit with 20,000+ requests over just two days, and while we don’t have numbers to indicate how the problem’s been since then the fact that it’s more in the news now than then suggests that the problem hasn’t abated and very likely grown since then.

The folks over at Sonic Wall have published some of the ‘busted’ IPs from which these requests have originated. If you know where to look for them and are using Horde yourself, feel free to have a look for any of these known bad guys:

109.237.27.71 / 98.6.233.234 / 173.8.113.97 / 34.195.252.116 / 85.25.198.121 / 103.233.146.6 / 98.188.240.147 / 162.158.63.144 / 203.180.245.92 / 173.237.133.206 / 23.210.6.109 / 45.33.62.197 / 85.25.100.197 / 162.243.224.192 / 212.48.68.180 / 200.160.158.244 / 149.126.78.3 / 162.158.154.95 / 81.169.158.6 / 23.35.150.55 / 51.254.28.132 / 150.95.169.224 / 162.158.77.240 / 139.99.5.223 / 185.18.197.75 / 162.158.90.10

And if you see activity from any related to access to your software then it should very much be a red flag.

A Fix?

The norm is for security researchers to typically give organizations three months to fix flaws before they are publicly disclosed, so the fac this information has been made public and the news of the breaches counted earlier in 2019 suggests this has gone on for too long. Further, the consensus is that these flaws pose a ‘high’ security risk to users.

It should be mentioned that some – not all - of the vulnerabilities were fixed in the latest Horde webmail version. We’ve read that the Horde community has not publicly acknowledged the vulnerability — or that users of earlier versions of the webmail are still vulnerable.

Definitely something to be aware of and taking steps to protect yourself if you and / or your organization is using Horde as your chosen mail client. Not suggesting you reconsider that choice as it really is an excellent free and open-source web email system. And further, now that this is much more in the public eye, we expect Horde to be MUCH more aggressive in addressing this security vulnerability.

You may also like: