Automatic logout mailbox Guard
Dear mailbox customers,
We would like to inform you about a security-related aspect of using mailbox Guard.
Currently, the automatic logout from mailbox Guard does not work when you log out of the mailbox web client if “Remember default password” is selected under “All settings...” → “mailbox Guard” → “mailbox Guard default settings” → “mailbox Guard default settings.”
In this case, it is possible to access Guard again after logging back into the mailbox web client without having to re-enter the Guard password. Accordingly, emails can continue to be sent encrypted and signed without a new password prompt.
We would like to point out that this is only relevant if the login takes place from the same device on which the Guard was previously unlocked. The Guard session is only active on that specific device. An attacker who gains access to an account from a different device would therefore not have access to the Guard.
This behavior does not meet the intended security requirements. We are already in contact with Open-Xchange to clarify the cause and achieve a timely fix.
As a temporary workaround, we recommend selecting the “Ask each time” option under
“All settings...” → “mailbox Guard” → “mailbox Guard default settings” → “Remember password default.”
In this mode, the Guard password is requested each time you access it, and the Guard remains unlocked only for the duration of the mailbox session. This does not meet our security requirements. In this mode, the Guard password is requested each time you access the mailbox, and Guard remains locked after the mailbox session ends. This does not meet our security requirements, so we are working in improving this.
We will keep you updated on further developments here.
With kind regards
Your mailbox Support
---
Useful Links:
The same problem 
This forum post by mailbox is a response to this thread: https://userforum-en.mailbox.org/topic/4296-beware-guard-isnt-signing-out-properly
However, hiding this security threat away in a forum announcement does not adequately inform customers of the dangers present. Why? Because reading this announcement requires users to manually navigate to the mailbox forum of their own initiative, without prompting, and just happen to click on it. How many people are going to do that? Not many. And perhaps that's the point. This is why I suggested an email, website banner announcement, or in-app notification, so that no one remains vulnerable. I hope mailbox will do what's best for their customers and not their image. I look forward to proper disclosure in the near future.
This forum post by mailbox is a response to this thread: https://userforum-en.mailbox.org/topic/4296-beware-guard-isnt-signing-out-properly
However, hiding this security threat away in a forum announcement does not adequately inform customers of the dangers present. Why? Because reading this announcement requires users to manually navigate to the mailbox forum of their own initiative, without prompting, and just happen to click on it. How many people are going to do that? Not many. And perhaps that's the point. This is why I suggested an email, website banner announcement, or in-app notification, so that no one remains vulnerable. I hope mailbox will do what's best for their customers and not their image. I look forward to proper disclosure in the near future.
Replies have been locked on this page!