Summary

An attacker is able to send a manipulated email so that the user can no longer use the app to get access to received emails.

Details

By sending a manipulated email, an attacker could put the app into an unusable state. In this case, a user can no longer access received e-mails. Since the vulnerability affects not only the app, but also the web application, a user in this case has no way to access received emails.

PoC

1. The attacker sends an email to another Tutanota user via a Tutanota account. To encrypt, however, it does not use the recipient's public key, but another. This could e.g. done via Burp by intercepting the response from the server and replace the public key of recipient with another.
2. The victim receives the e-mail and sees the occurrence of an error message (similar to Figure 1). After receiving the manipulated e-mail, it is temporarily unable to display new mails in some cases. It is also not possible to move emails. Some settings cannot be changed in this case. Example is the audit log no longer updated, in which important actions such as disabling two-factor authentication are displayed.
3. Because of this behavior, a user would probably log in to the app again.
4. After a re-login, no e-mails can be displayed in the inbox. The following figure shows that an error is displayed after re-login (Figure 1) and no e-mails can be displayed or read (Figure 2) in the inbox. This vulnerability affects not only the app, but also the web application, so a user will no longer have the ability to access received emails in the inbox.

Impact

Users cannot access and read received mails. Probably all clients are affected. Tested with iOS and web app.