app icon indicating copy to clipboard operation
app copied to clipboard
verified publisher icon simple-login

SL injects Contact Name in replies which isn't visible/editable anywhere in Web UI

Open obadz opened this issue 3 weeks ago • 0 comments

Prerequisites

  • [x] I have searched open and closed issues to make sure that the bug has not yet been reported.

Bug report

Describe the bug

When replying to an email from a mailbox, reverse aliases get replaced by their "real" addresses (.website_address) but the display names in the header also get replaced by the .name field which is pulled from the SL database but this field is not directly visible in the UI and certainly isn't editable. This happens here: https://github.com/simple-login/app/blob/463ca56ed75e2ead9547f967ca333e93d9514c42/email_handler.py#L393

This can be exploited as follows:

Bob sends me an email via one of my aliases and annoyingly Cc's Jack as "Some Obscene Insult <[email protected]>". Now, if want to write to Jack, and regardless of how I get Jack's reverse alias, he will receive an email where he is being insulted in the header!

For instance, if I copy the reverse alias from the SL website, I will get "Some Obscene Insult | [email protected]" <[email protected]>". In my email client, I can change the obscene insult to a reasonable name, but when I send SL will inject the insult back into the header!

If I copy the reverse alias w/o the display name in the Android app I am completely unaware about the insult.

Another possible flow: Jack email's me, and Bob (who somehow knows about this email) emails both me & Jack (with the insult). Bob's message can be spammy or nonsense so nobody notices it but it still updates Jack's .name in the SL database. When I reply to Jack's E-mail, the insult is injected!

Expected behavior

I expect display names of all contacts to be visible and editable in the UI.

Ideally, they would not be stored in the database at all: instead SL could encode the display names by adding "| some extra bits" during forwards and removing the extra bits in the reply direction. Figuring that out isn't trivial as it will depend in the "Sender Address Format" in the settings so maybe that can come at a later stage.

obadz avatar Dec 09 '25 19:12 obadz