Hacker News

Roundcube Webmail: SVG feImage bypasses image blocking to track email opens

73 points by nullcathedral ago | 16 comments

smelendez |next [-]

I often think the best way to defeat email open tracking would be for a mainstream email client to prefetch every image when a non-spam email is received and cache it for 72 hours or so.

Every email gets flagged as “opened,” so the flag is meaningless, and recipients can see the images without triggering a tracker.

mzi |root |parent |next [-]

I worked for a short time for an American company. They had periodic phishing test from Mitnick. The links in those emails was not to be clicked as it would trigger a mandatory training. The emails also had a header saying they were a phishing test, so I deleted all those emails in a filter.

The company also ran a mail filter called Baracuda or something similar that followed links in emails to see if they were malicious.

I was quite annoyed when I was called to do the mandatory training as "I" had clicked a link (on an email I hadn't seen) and more so when told I had no other recourse than to sit through it.

I resigned shortly afterwards.

mmh0000 |root |parent |next |previous [-]

Some of the big providers already do this, notably Apple and Gmail:

https://www.litmus.com/blog/gmail-prefetching-images

BobbyTables2 |root |parent |next |previous [-]

That still provides “human” vs “bot” feedback to the sender.

An automated system processing emails isn’t going to be fetching images or rendering attached SVGs.

Saris |root |parent |previous [-]

I think this is what icloud does. Seems like an easy way to make tracking useless if every client did it.

jszymborski |next |previous [-]

Too bad CORS doesn't fix this. It would be awesome to be able to sandbox a page completely.

Avamander |next |previous [-]

SVGs are just the tip of the iceberg of how hard it is to sanitize email content. There aren't any purpose-built good libraries for email sanitization either. Something that would handle SVG, CSS, HTML, everything.

Galanwe |next |previous [-]

Nice catch!

I am trying to read as less _online_ as possible nowadays. I essentially have dovecot in my crontab, and read it off roundcube. It's been working great, RoundCube is dead simple to setup and use, the UI and search are very fast.

jonathanlydall |next |previous [-]

Slightly related, but fraudsters love using .svg attachments, typically the mails purport to be for an invoice which you need to log into your Microsoft account to be able to “securely” view.

I’m not sure if Exchange Online doesn’t scan them or something, but I landed up making a rule which blocks all emails with either .svg or .htm(l) attachments and to notify me when blocked.

Happens a couple of times per month for the our small company, no false positives yet.

michaelteter |next |previous [-]

Not disputing the article, nor insinuating that there's some ulterior motive, but it's curious that this blog has only one post; and the About page suggests a lengthier history (with references to what would have been previous posts).

nullcathedral |root |parent [-]

Author here! Are you referring to the "What’s inside this vendor’s VMware images?" on the about page? That is merely an illustration of what goes on inside my head. This is the first article on my blog.

michaelteter |root |parent [-]

Yes, those were the suggestions which made me think there was a disparity between the About and the posts (or lack thereof).

Best of luck to you on your blog. I would suggest you also add a "welcome to my blog" post where you give a little background about why you're writing the blog and what kinds of content readers can hope to see in the future. There's no denying that you have little content, so you might as well make it clear to readers _why_ that is. Plus, it sets them up to be interested to see what's coming next.

nullcathedral |root |parent [-]

Good suggestion! Thanks. I'll go write up a welcome post soon :)

stragies |next |previous [-]

Hmm, I wonder, if roundcube was the exception (w.r.t feImage), or if soon other webmail clients will need to be patched

nullcathedral |root |parent |next [-]

Author here! I have looked at Thunderbird. I'll go and look at some others as well, should have probably done that earlier.

zimpenfish |root |parent |previous [-]

I wouldn't vouch 100% for my PHP understanding but it looks like SnappyMail removes `<svg>` elements entirely (`BuildHtml` in `snappymail/v/2.38.2/app/libraries/MailSo/Base/HtmlUtils.php`)

|previous [-]