Welcome to the mailbox user forum
 
New Topic
mailbox user forumTopicProblemEncryption
Properties
Category Encryption
Tags mailbox guard, Guard

Beware - Guard isn't signing out properly

Maximus shared this problem 21 days ago
In Progress

To reproduce:

1. Sign in to mailbox with your username, main password, and Guard password (if prompted to do so when opening an encrypted email or document)

2. Sign out of mailbox (either via the top right sign out icon OR by clicking the my account icon and selecting the third option to "sign out"). Do NOT click "sign out mailbox Guard." Signing out of your account is supposed to also sign you out of Guard.

3. Sign back into mailbox. Click my account icon at the top right. You should not see the option to "Sign out mailbox guard" because you when signed out of your account, it should have also automatically signed you out of Guard simultaneously. So far everything looks good, but it's not.

4. You think you were signed out of Guard, but you really weren't. Try opening an encrypted email or file and voila! Easy access, just like that. No Guard password needed. Turns out it was STILL ACTIVE the whole time. What kind of security risk or broken promises are we dealing with here? Now navigate back up to your my account icon and you'll see "Sign out mailbox guard" now appears, even though YOU NEVER SIGNED IN WITH YOUR GUARD PASSWORD.

What does work: signing out of your Guard password first, then signing out of your account.

What troubles me: If this behavior is isolated to me, that means its a targeted attack, which means any one of you could be next and mailbox absolutely cannot be trusted with your keys. If this behavior is not isolated to me, it means we're all dealing with anything from poor programming and/or design choices yet again (best case) to a larger scale security risk for the entire mailbox community (worst case).

Please try reproducing and post your results here so we can help each other. In the meantime, I will be reaching out to support. Wait times are very long so it may be weeks before I get a response.

3 The same problem 0  
Best Answer
photo
Maximus 3 days ago

Let's cut the bull and be clear about what's going on and why:

  1. Before the new Open-XChange app suite rolled out, mailbox users were immediately signed out of Guard when they signed out of their account. This was an intentional programming decision to promote security and was communicated as such.
  2. After the new Open-XChange app suite rolled out, mailbox users were no longer signed out of Guard when they signed out of their account. No one was notified. This left customers with the illusion of security, believing they had signed out of Guard when in fact that hadn't.
  3. No one at mailbox or Open-XChange noticed, fixed, or publicly addressed this security vulnerability. Instead, a customer did their job for them. That customer (me) framed this as a serious security problem, NOT a minor bug meriting yet another feature request to the crippled OX App Suite.
  4. When this vulnerability was brought to mailbox's attention, the team refused to publicly acknowledge that both they and Open-XChange had dropped the ball. Admitting fault from either party is considered bad optics. At the time of this post, it's been 17 days since my initial report was filed, and not a single mailbox customer has been officially warned about this security risk (via blog post, in-app notification, sign-in notice, or email). Excuses forthcoming.
  5. According to this mailbox knowledge base article (see attached screenshot) the mailbox Guard signing out the same time a user signs out is a SECURITY PROMISE, not a FEATURE REQUEST. In this case, it's a broken promise.
  6. Meanwhile, mailbox boasts of its latest audit awards from BSI. "These certificates confirm our high security standards, especially for cloud services, through independent testing agencies and demonstrate our consistent commitment to protecting your data."
  7. This latest embarrassment is just one of many examples over the past year of mailbox over-promising and under-delivering. The forums are full of unhappy customers. My support inbox is overflowing with unanswered requests for Open-Xchange to fix problems they created.
  8. All of this would be bearable if the tenor of mailbox moved FROM blame shifting, rudeness to their most loyal customer base, and public relations management TO one of accepting responsibility, taking accountability, and acknowledging the elephant in the room: Open-Xchange is beginning to do more harm than good.

Files: secure use of your key.png

Replies (8)

photo
2
TeCer 21 days ago

I don't use the guard service, so i have no way of testing it right now.

Which option did you select in the guard settings: “Remember password default setting”?

Reply
photo
1
Maximus 21 days ago

Thanks for your response! Good question. Mailbox Guard "remember password default" is set to "Session", per my usual settings. I have had it set to "Session" for years and it's never remained signed in when I sign out until recently.

Nothing more dangerous than the illusion of privacy and security.

photo
photo
1
Maximus 20 days ago

Day 2 - Same problem, no resolution. How about you?

Reply
photo
2
Ping Timeout 19 days ago

I have reproduced this and confirm it's a thing.

It seems the Guard session is not affected by signing out of the account. As a result, the "After I log out" option under "Ask for password again" on the Guard password prompt is broken. It's better not to use this option until it's fixed. Select "Always" or "After 10 minutes" instead.

Yeah, definitely file a ticket to the Mailbox Support and ask them to fix this. However, they are probably overloaded, so it may take quite some time for them to respond and resolve the issue.

Reply
photo
2
Ping Timeout 19 days ago

> Select "Always" or "After 10 minutes" instead
Or longer, if needed, the point is that the timeout (e.g., "After ? minutes") ensures the Guard session will expire.
For now, it is also a good practice to manually sign out the Guard before signing out the account.

That's all my thoughts about this.

photo
photo
1
Felix Kaspar mailbox Support 19 days ago

Hi,

thank you all for postig your findings. I will forward this to our administrators, so they can look into it. We will post our findings here as soon as we have some results. Until then, we ask for a little patience.

With kind regards

Felix Kaspar
mailbox support

Reply
photo
1
Maximus 19 days ago

Thanks for your reply, Felix! Please coordinate with Wesley on Ticket#8748498. I look forward to a swift resolution. Better yet, an explanation and apology.

photo
1
Maximus 6 days ago

15 days later. The same vulnerability remains, giving customers the false illusion of security. No update from support on my ticket. No public acknowledgement or warning for mailbox customers via blog, email notification, or homepage notice that this problem exists. No apologies offered or explanations given. Standard fare. The company that shall not be named shall not be named.

photo
photo
1
Felix Kaspar mailbox Support 5 days ago

Hello Maximus,

thank you very much for your message. Due to the holidays and the resulting vacations, our response took a little longer than usual. We apologize for the delay.

Our administrators have explained to me that this is the Open-Xchange default. The reason for this is that the session lifetime of the Guard is not identical to the session lifetime of the Open-Xchange session. Unfortunately, there is currently no way to link these two sessions so that one can terminate the other. Our product-managers have decided that we want to link both sessions, so that you will be logged out of the Guard as soon as you log out of the mailbox webclient. We are therefore submitting a feature request to Open-Xchange to make this possible.

Until then, I recommend setting the query under “Settings” > “Mailbox Guard” > “Mailbox Guard default settings” to “Ask each time” as a temporary workaround.

Please accept our apologies for the inconvenience. I hope that Open-Xchange will implement our request soon. Please let me know if you have any further questions or feedback.

With kind regards

Felix Kaspar
mailbox support

Reply
photo
1
Maximus 4 days ago

Dear mailbox support,

  1. Why bury your response in a support thread most mailbox customers will never see? This problem impacts everyone using Guard. If you truly care, you should let the entire mailbox community know NOW that this is broken and why it's broken and how to mitigate it and how you're planning on fixing it.
  2. "Our product-managers have decided that we want to link both sessions, so that you will be logged out of the Guard as soon as you log out of the mailbox webclient. We are therefore submitting a feature request to Open-Xchange to make this possible." This is PR speak. Knock it off. You didn't come up with some brilliant new idea. The old OX version signed users out of Guard properly. The fact is, this is just one bug in a long series of regressions the updated Open-Xchange software is plaguing mailbox customers with. The new paint job is concealing a failing product. This only fools new customers who don't know any better. Those who have been loyal to mailbox over the years can see right through it.
  3. Speaking of loyal mailbox customers, I find myself consistently doing your job for you and being censored or criticized for it. Why am I the one to find and point out a major security flaw? That's not my job. That's your job.
  4. But if I must, I could solve 80% of your problems with a 2 hour conversation with your CEOs.

Reply
photo
1
Felix Kaspar mailbox Support 3 days ago

Dear Maximus,

thank you very much for your response. I apologize upfront, since I can't address all of your grievances. The most important thing is: We are hearing you. We understand that you want the Guard session to end, when logging out of your mailbox account, thus ending the mailbox session.

It's very important to clarify that the current functionality is not a bug. The Guard session works the way Open-Xchange intends it to work. That is the reason why we had to file a feature request.

I completely understand that you want the Guard session to end when you log out of your mailbox account. So we are now waiting on a response from Open-Xchange in the hopes that they will implement this feature soon.

Until then, I recommend setting the query under “Settings” > “Mailbox Guard” > “Mailbox Guard default settings” to “Ask each time” as a temporary workaround. I will discuss with my colleagues how we can communicate this broadly.

With kind regards

Felix Kaspar

Reply
photo
2
Maximus 3 days ago

Let's cut the bull and be clear about what's going on and why:

  1. Before the new Open-XChange app suite rolled out, mailbox users were immediately signed out of Guard when they signed out of their account. This was an intentional programming decision to promote security and was communicated as such.
  2. After the new Open-XChange app suite rolled out, mailbox users were no longer signed out of Guard when they signed out of their account. No one was notified. This left customers with the illusion of security, believing they had signed out of Guard when in fact that hadn't.
  3. No one at mailbox or Open-XChange noticed, fixed, or publicly addressed this security vulnerability. Instead, a customer did their job for them. That customer (me) framed this as a serious security problem, NOT a minor bug meriting yet another feature request to the crippled OX App Suite.
  4. When this vulnerability was brought to mailbox's attention, the team refused to publicly acknowledge that both they and Open-XChange had dropped the ball. Admitting fault from either party is considered bad optics. At the time of this post, it's been 17 days since my initial report was filed, and not a single mailbox customer has been officially warned about this security risk (via blog post, in-app notification, sign-in notice, or email). Excuses forthcoming.
  5. According to this mailbox knowledge base article (see attached screenshot) the mailbox Guard signing out the same time a user signs out is a SECURITY PROMISE, not a FEATURE REQUEST. In this case, it's a broken promise.
  6. Meanwhile, mailbox boasts of its latest audit awards from BSI. "These certificates confirm our high security standards, especially for cloud services, through independent testing agencies and demonstrate our consistent commitment to protecting your data."
  7. This latest embarrassment is just one of many examples over the past year of mailbox over-promising and under-delivering. The forums are full of unhappy customers. My support inbox is overflowing with unanswered requests for Open-Xchange to fix problems they created.
  8. All of this would be bearable if the tenor of mailbox moved FROM blame shifting, rudeness to their most loyal customer base, and public relations management TO one of accepting responsibility, taking accountability, and acknowledging the elephant in the room: Open-Xchange is beginning to do more harm than good.

Files: secure use of your key.png
Reply
photo
1
Felix Kaspar mailbox Support 3 days ago

Hello Maximus,

you are right about the core issue: the current behavior is not what it should be. Guard did sign out automatically when a user signed out of their mailbox session under OX7. This was an intentional, security-relevant behavior and it is expected to work the same way today. The fact that it currently does not is a bug, not a feature change or a deliberate design decision.

In my earlier reply, I misunderstood parts of the situation and therefore described it incorrectly. Thank you for pointing this out and helping to clarify the matter. I apologize for the confusion.

We are already in contact with Open-Xchange regarding this issue. Until the issue is resolved, we will clearly point out the current behavior in this forum so users are aware of it.

It was never our intention to downplay the problem. We agree that clearer communication would have been appropriate earlier, and we appreciate you bringing this to our attention in such a detailed and persistent manner.

Trust in security-related functionality depends on transparency and reliability. This is something we take very seriously, and your feedback is an important part of that process.

Thank you again for raising this issue. If you would like to receive updates on the status, please let us know.

Kind regards

Felix Kaspar

photo
Leave a Comment
 
Attach a file