WYAE.de - IT Security, KnowHow & Software

2023-12-24

Android & iPhone App 'BlueMail' Steals Mail Account Credentials

The mail application leaks passwords to Amazon AWS servers which then access the accoun without user consent.

Update 12/2023

Message from users still experiencing the documented behaviour on some of their accounts (roughly 10-20% in low sample size).

Update 10/2021

Brief 1day-long tests showed none of the previously observed behaviour. Neither on Android nor on iPhone.

Original Advisory

Similar to the Blackberry mail login credential theft discovered 07/2013 by Frank Rieger, the BlueMail iOS app sends the login credentials to an AWS server (a system used by BlueMail) without user consent or knowledge of the user.

Credentials MUST EXCLUSIVELY be exchanged between mail client and server and NEVER be leaked to anyone. Noone - especially no software vendor - has a right to for whatever reason harvest account credentials and send them back to his server without explicit user consent and then on top of that connect back to the mail server with them.

Recommendation

You should delete the BlueMail from any Apple iOS device immediately, change the e-mail password and resort to using an alternative mail program.

Log excerpt

All logs are recorded in MET (GMT+1)

Feb 10 19:03:20 gerda dovecot[8541]: imap-login: Login: user=****, method=PLAIN, rip=34.197.140.199, lip=****, mpid=9975, TLS, session=<XnHSdd9kwEwixYzH>
Feb 10 19:03:21 gerda dovecot[8541]: imap(****)<9975><XnHSdd9kwEwixYzH>: Logged out in=38 out=566 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Feb 10 19:03:22 gerda dovecot[8541]: imap-login: Login: user=****, method=PLAIN, rip=54.174.226.182, lip=****, mpid=9977, TLS, session=<Q0Lqdd9k36A2ruK2>
Feb 10 19:03:30 gerda dovecot[8541]: imap-login: Login: user=****, method=PLAIN, rip=54.174.226.182, lip=****, mpid=9981, TLS, session=<2IJrdt9k9qA2ruK2>

Both IP addresses 34.197.140.199 (Amazon NET34) and 54.174.226.182 (Amazon NET54) belong to the Amazon EC2/AWS IP ranges.

BlueMail keeps trying after app deinstallation

Sessions are kept / Logins are still being tried even days after the App has been deinstalled (and password has been changed later, obviously)...

Feb 11 01:09:27 gerda dovecot[8541]: imap(****)<28626><Wm6ckuRkmMesH/+S>: Connection closed (STATUS finished 8.359 secs ago) in=646 out=3974 deleted=0 expunged=0 trashed=0 hdr_count=2 hdr_bytes=146 body_count=0 body_bytes=0
[last logout during app deinstallation]

Feb 11 13:17:10 gerda dovecot[8541]: imap(****)<9981><2IJrdt9k9qA2ruK2>: Connection closed (IDLE finished 54.887 secs ago) in=4447 out=37491 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
Feb 11 13:45:14 gerda dovecot[8541]: imap-login: Login: user=****, method=PLAIN, rip=54.174.226.182, lip=****, mpid=6632, TLS, session=<lqUBIu9kty42ruK2>
[password change 15:11]

Feb 11 15:11:45 gerda dovecot[27158]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session=<uIZTV/BkG9w2ruK2>
Feb 12 03:43:55 gerda dovecot[21467]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session=<c5BM2fpkdsk2ruK2>
Feb 13 03:43:29 gerda dovecot[21467]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session=<UaKS9Q5lmsA2ruK2>
Feb 14 03:42:54 gerda dovecot[21467]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session=<8iBUESNlfq02ruK2>
Feb 14 03:48:04 gerda dovecot[21467]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session=<PrnSIyNlSNk2ruK2>
Feb 15 03:43:09 gerda dovecot[21467]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session=<TAwXMDdlGQ02ruK2>
Feb 15 03:48:17 gerda dovecot[21467]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session=<iRBvQjdlxzU2ruK2>
Feb 16 03:42:56 gerda dovecot[14042]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session=<SV0lTUtlz882ruK2>
Feb 16 03:48:03 gerda dovecot[14042]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session=<xW1oX0tlm/c2ruK2>
Feb 17 03:43:13 gerda dovecot[14042]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session=<lwIDbF9lgu42ruK2>

History

2018-02-10 recognized behaviour, first write-up

2018-02-11 first mail sent to abuse@amazonaws.com and privacy@bluemail.me

2018-02-15 answer from Amazon, citing BlueMail's response to Amazon's inquiry (BlueMail has not answered my direct question yet):

"Our server is opening legitimate IMAP connections for users' accounts which use our Android e-mail client, this is done to be able to send push notification on new e-mails on their accounts. If further information is required you can direct them back to report@bluemail.me "

2021-10-23 After some tests on Andoid and iPhone the behaviour was no longer observed.

2023-12-24 Message from users observing the documented original behaviour on some of their accounts.