pupu
Active member
- Mar 9, 2016
- 1,431
- 3
Security Update for the Apps
Dear Tutanota user,
today we have to inform you about a security vulnerability in the new Tutanota iOS and new Android beta app (F-Droid & Play Store). Two weeks ago, our development team has discovered and immediately patched a vulnerability that could have allowed attackers to inject arbitrary code into the web part of the app using crafted file names if a user downloaded this file. As far as we know, there has not been an active exploitation of this vulnerability. We estimate that only a fraction of our users had used the affected app versions. The old Android app (currently available in the Play Store) and the web client have not been affected at any time. As part of our strict transparency policy, we have published all details about this vulnerability on our blog.
The affected app versions have been disabled so the vulnerability can no longer be abused. In case you have used one of the affected versions, we recommend to change your password as a security measure. We also recommend turning on second-factor authentication if possible.
We are currently reviewing our development process to adjust our methods to further maximize the probability of finding security relevant issues prior to releasing new app versions. We apologize for any inconvenience caused by this. We are now doing an internal security review of the new Tutanota email client and iOS and Android apps. We also plan to commence an external security review soon. If you want to contribute to Tutanota's security, we appreciate your donation for an external security review.
Thank you very much for your support,
your Tutanota Team
Dear Tutanota user,
today we have to inform you about a security vulnerability in the new Tutanota iOS and new Android beta app (F-Droid & Play Store). Two weeks ago, our development team has discovered and immediately patched a vulnerability that could have allowed attackers to inject arbitrary code into the web part of the app using crafted file names if a user downloaded this file. As far as we know, there has not been an active exploitation of this vulnerability. We estimate that only a fraction of our users had used the affected app versions. The old Android app (currently available in the Play Store) and the web client have not been affected at any time. As part of our strict transparency policy, we have published all details about this vulnerability on our blog.
The affected app versions have been disabled so the vulnerability can no longer be abused. In case you have used one of the affected versions, we recommend to change your password as a security measure. We also recommend turning on second-factor authentication if possible.
We are currently reviewing our development process to adjust our methods to further maximize the probability of finding security relevant issues prior to releasing new app versions. We apologize for any inconvenience caused by this. We are now doing an internal security review of the new Tutanota email client and iOS and Android apps. We also plan to commence an external security review soon. If you want to contribute to Tutanota's security, we appreciate your donation for an external security review.
Thank you very much for your support,
your Tutanota Team
