FastMail Refuses to Fix Security Issue Allowing Customers to Send Malicious Code

[breakingcups]

This post doesn't go into detail at all but even then I find myself choosing Fastmails side. If they removed / altered the images, the PGP signature wouldn't be valid anymore, right?

I'm not aware of any EXIF exploit which would be dangerous to the recipient of such an email. AFAIK, only weakly configured servers / php scripts would potentially execute an image uploaded with malicious EXIF data. Thus, there is no security issue for the recipients.

The blog post is very light on details, which makes it feel manipulative and a bit immature. For example: > Every other company has fixed this issue upon us reporting it to them.

Which companies? Even if you're not allowed to tell, how many other companies? Did they offer a similar email service?

[planetzudasec]

Thank you for discussing this article. We value everyone's feedback which is why we're answering your questions. We didn't think of listing how many other companies we've worked with on this issue, but we will try to add in that type of information in future articles when possible.

It is a bit hard to put how many companies we've worked with because like you noted we aren't always allowed to tell unless we have permission to do so. Also, we deal with so many bugs everyday that we've lost count how many times a certain type of bug has been fixed.

A few companies who do try to stop these types of attacks are gmail, facebook and pinterest. It is important to note that we didn't assist them with fixing those issues, which is one reason we're allowed to talk about it. You can stop malicious images from being attached instead of just removing the code after it is uploaded.

If you have anymore questions feel free to ask.