Posted by Scott Arciszewski on Jun 21

Hi Full Disclosure readers,

The symmetric-key encryption used in Tutanota is vulnerable to ciphertext
malleability (a.k.a. arbitrary bit rewriting), since they fail to
authenticate their ciphertexts. The offending code snippet (for the Android
version of their app) is here:

https://github.com/tutao/tutanota/blob/7902514b846539643586baba10f293bf8ac975fc/native/src/android/de/tutao/plugin/Crypto.java#L246-L261

I am not the first to discover this…