

FastMail Refuses to Fix Security Issue Allowing Customers to Send Malicious Code - _RPM
https://planetzuda.com/2015/02/16/email-service-fastmail-refuses-to-fix-security-issue-allowing-customers-to-send-malicious-code/

======
breakingcups
This post doesn't go into detail at all but even then I find myself choosing
Fastmails side. If they removed / altered the images, the PGP signature
wouldn't be valid anymore, right?

I'm not aware of any EXIF exploit which would be dangerous to the recipient of
such an email. AFAIK, only weakly configured servers / php scripts would
potentially execute an image uploaded with malicious EXIF data. Thus, there is
no security issue for the recipients.

The blog post is very light on details, which makes it feel manipulative and a
bit immature. For example: > Every other company has fixed this issue upon us
reporting it to them.

Which companies? Even if you're not allowed to tell, how many other companies?
Did they offer a similar email service?

~~~
planetzudasec
Thank you for discussing this article. We value everyone's feedback which is
why we're answering your questions. We didn't think of listing how many other
companies we've worked with on this issue, but we will try to add in that type
of information in future articles when possible.

It is a bit hard to put how many companies we've worked with because like you
noted we aren't always allowed to tell unless we have permission to do so.
Also, we deal with so many bugs everyday that we've lost count how many times
a certain type of bug has been fixed.

A few companies who do try to stop these types of attacks are gmail, facebook
and pinterest. It is important to note that we didn't assist them with fixing
those issues, which is one reason we're allowed to talk about it. You can stop
malicious images from being attached instead of just removing the code after
it is uploaded.

If you have anymore questions feel free to ask.

