

Encrypt emails seamlessly with Canary’s zero. Access all your Contacts’ emails, files & even social media profiles in one place. Canary supports all your Gmail, iCloud, Office365, Yahoo, IMAP & Exchange accounts. While testing Canary Mail with the IMAP STARTTLS setting, CENSUS found that the iOS and MacOS versions of the software would happily connect to a fake IMAP service introduced by a man-in-the-middle attacker, as they performed no certificate validation. Whether you’re after the best design, features, or security, Canary raises the bar and sits firmly on top - The Next Web. A patch for the library is publicly available, however this has not been incorporated yet into an official library release.ĬENSUS performed a functional security test to a number of mail clients, looking for possible vulnerabilities related to man-in-the-middle attacks.

The same vulnerability also affects other software that are based on the MailCore2 library (including version 0.6.4).
CANARY MAIL MACOS UPDATE
CENSUS strongly recommends to iOS and MacOS users of the Canary Mail software to update to version 3.22, as this version carries a fix for the aforementioned vulnerability. This vulnerability allows man-in-the-middle attackers to collect a victim user's email credentials (while these are communicated to the IMAP service), to access email messages and perform other IMAP actions to the victim account, but also to modify email messages while in-transit to Canary Mail. Improper Certificate Validation ( CWE-295)ĬENSUS identified that the Canary Mail software in versions 3.20 and 3.21 (and possibly previous versions) is missing a certificate validation check when performing an IMAP connection configured with STARTTLS.

Canary Mail and MailCore2 library missing certificate validation check on IMAP STARTTLS CENSUS ID:Ĭanary Mail for iOS and MacOS versions 3.20 and 3.21, MailCore2 library version 0.6.4
