Stealing Your I2P Email
Introduction
I2P, is an anonymous network somewhat similar to Tor, but without clear-net access.
The official software bundle for accessing the I2P network has several pieces, one being an email client.
The router for configuring the client is web based, meaning it is a locally run HTTP server.
This means that it is susceptible to a class of attacks unique to web services, such as Cross Site Request Forgeries (CSRF).
Exploiting the I2P Email Client
I started examining the control forms in I2P, looking for anything that isn’t protected by a special token known as a nonce.
As far as I could tell, the entire bundle was protected, that is, until I examined the Email client, Susimail.
Due to an oversight, Susimail had no protection against CSRF attacks.
This allowed attackers to arbitrarily change a target’s server to an attacker controlled one, potentially allowing them to see who the target was communicating with, and the plaintext of their Emails if they failed to use PGP.
All the attacker would have to do is setup an Eepsite and encourage any visitors to click something on their site, delivering the payload, or a clearnet site could detect if someone is running I2P, and do the same thing.
Reporting It
I disclosed this vulnerability to ZZZ, who pushed a fix within a few days. It took several weeks for a release to come out with the fix though, which I find worrying.
Lessons Learned
When creating software that runs as a web server, even if it is only intended to be locally accessed, one must be cautious to implement standard protections against web based attacks like CSRF.
I recommend anyone using the standard I2P bundle update ASAP, especially if they use Susimail.