Hackers can steal the contents of Horde webmail inboxes with one click

Cyber Messages Concept Envelope Shaped Bokeh of Light Illuminated Fiber Optics on Black Background.
Cyber Messages Concept Envelope Shaped Bokeh of Light Illuminated Fiber Optics on Black Background.
Zack Whittaker

A security researcher has found several vulnerabilities in the popular open-source Horde web email software that allow hackers to near-invisibly steal the contents of a victim's inbox.

Horde is one of the most popular free and open-source web email systems available. It's built and maintained by a core team of developers, with contributions from the wider open-source community. It's used by universities, libraries and many web hosting providers as the default email client.

Numan Ozdemir disclosed his vulnerabilities to Horde in May. An attacker can scrape and download a victim's entire inbox by tricking them into clicking a malicious link in an email.

Once clicked, the inbox is downloaded to the attacker's server.

But the researcher did not hear back from the Horde community. Security researchers typically give organizations three months to fix flaws before they are publicly disclosed.

NIST, the government department that maintains the national vulnerability database, said this week that the flaws pose a "high" security risk to users.

Ozdemir said some — though not all — of the vulnerabilities were recently fixed in the latest Horde webmail version. But the Horde community has not publicly acknowledged the vulnerability — or that users of earlier versions of the webmail are still vulnerable.

"It is really very easy to steal people's email," he told TechCrunch.

His bug report filed with Horde remains open at the time of writing. We emailed Horde several times, but did not hear back until after publication. Jan Schneider, a core developer on the project, said the vulnerabilities "have indeed been fixed, won't be fixed, or didn't even exist anymore at the time of the reporting."


More From

  • Starting with Michigan, Sidewalk Infrastructure is looking to build roads specifically for autonomous cars

    Sidewalk Infrastructure Partners, which spun out of Alphabet's Sidewalk Labs to fund and develop the next generation of infrastructure, has taken the covers off its first big project -- the launch of a subsidiary called Cavnue to develop roadways for connected and autonomous vehicles. Starting in Michigan, Cavnue will be working with partners including Ford, GM, Argo AI, Arrival, BMW, Honda, Toyota, TuSimple and Waymo on standards to develop the physical and digital infrastructure needed to move connected and autonomous cars out of pilot projects and onto America's highways, freeways, interstates and city streets. The starting point for Cavnue is a 40-mile corridor between downtown Detroit and Ann Arbor, Michigan that will be dedicated to autonomous vehicles.

  • Digital imaging pioneer Russell Kirsch dies at 91

    Russell Kirsch, whose research going back to the '50s underlies the entire field of digital imaging, died earlier this week at the age of 91. It's hard to overstate the impact of his work, which led to the first digitally scanned photo and the creation of what we now think of as pixels. Born to Russian and Hungarian immigrant parents in 1929, Kirsch attended NYU, Harvard and MIT, eventually landing a job at the National Bureau of Standards (later the National Institutes of Science and Technology) that he would keep for the rest of his working life.

  • Mission Bio raises $70 million to help scale its tech for improving the development of targeted cancer therapies

    California-based startup Mission Bio has raised a new $70 million Series C funding round, led by Novo Growth and including participation from Soleus Capital and existing investors Mayfield, Cota and Agilent. Mission Bio will use the funding to scale its Tapestri Platform, which uses the company's work in single-cell multi-omics technology to help optimize clinical trials for targeted, precision cancer therapies. What it allows is the ability to zero in on a single cell, observing both genotype (fully genetic) and phenotype (observable traits influenced by genetics and other factors) impact resulting from use of various therapies during clinical trials.

  • Mirantis acquires Lens, an IDE for Kubernetes

    Mirantis, the company that recently bought Docker's enterprise business, today announced that it has acquired Lens, a desktop application that the team describes as a Kubernetes-integrated development environment. Mirantis previously acquired the team behind the Finnish startup Kontena, the company that originally developed Lens. "The mission of Mirantis is very simple: We want to be -- for the enterprise -- the fastest way to [build] modern apps at scale," Mirantis CEO Adrian Ionel told me.