Recently, the Alibaba Security team collaborated with Indiana University Bloomington to reveal a new security threat: a single malicious email can instantly crash macOS and iOS systems! The research is based on malformed X.509 certificates, which attackers exploit to trigger denial-of-service (DoS) vulnerabilities in cryptographic libraries.
X.509 certificates are key tools for verifying identities and protecting data security in the internet world. They act as "IDs," issued by trusted institutions, to ensure the authenticity of communication parties and secure information transmission. However, the Alibaba Security team discovered that these certificates can become targets for attackers during the processing stage.
Researchers conducted experiments on six mainstream open-source cryptographic libraries, including OpenSSL and Bouncy Castle, and found 18 new vulnerabilities and identified 12 known vulnerabilities. By sending malicious emails containing malformed X.509 certificates (called "Banana Email" attacks), attackers can exhaust system resources when processing certificates, causing the system to become unresponsive.
This issue is particularly serious because modern operating systems use these certificates for application signature verification. If the attack is successful, other applications on the system will be unable to function properly, causing great inconvenience to users. The research team emphasized that existing security studies often overlook usability issues, and their work is the first systematic analysis of this area.
To address this threat, researchers developed an automated tool called X.509DoSTool, which can quickly generate malformed certificates and detect DoS vulnerabilities in cryptographic libraries. At the same time, they proposed mitigation strategies for these vulnerabilities to enhance system security.
This research has been published at the USENIX Security’25 conference and received a nomination for the "Oscars of the Hacker World," highlighting its importance and influence. As cybersecurity threats continue to evolve, users and developers should remain vigilant and pay attention to these potential security risks.