Last week I released a new version of the Email Privacy Tester. It’s very similar to the old version, but it lives on its own domain, has some new tests and a more responsive and efficient user interface. I also released the full source code at the same time under the GNU GPL here. It’s written in coffee-script, and runs on top of nodejs. Both of these technologies have really impressed me recently; if you’re a web developer, check them out.
The video tag test has been split into several separate tests; I recently discovered that the stock Android IMAP client, K-9 Mail, and the Hotmail webmail interface all fetch URLs from the video tag “poster” attribute, before the user clicks “load remote images”. For example, if a HTML email contains this tag:
<video poster="http://TRACKING_URL/"></video>
I reported it to security@android.com, secure@microsoft.com and K-9 about a month ago. Android never responded, Microsoft said they’d look into it. I’m not sure if K-9 are going to patch over the problem themselves, or wait for Android to patch the hole.
I also added some new tests for detecting when a read receipt is sent. I discovered that on an Exchange 2007 system I use, if I access my email via IMAP instead of MAPI, the Exchange system silently sends a read receipt as soon as I read the email, without asking my permission. Whilst I’m on the topic of Exchange 2007, the “light” version of Outlook Web Access on Exchange 2007 automatically loads images from “input” tags of type “image”, before the user selects to load remote images:
<input type="image" src="http://TRACKING_URL/">
I reported this to Microsoft at some point last year and never received a response. I’ve not had access to an Exchange 2010 system yet to test but I expect to soon. I’m also aware of currently existing leaks in Sparrow Mail and the Palm OS email client. Please test your clients and let me know if you find anything.
Want to leave a tip?You can follow this Blog using RSS or Mastodon. To read more, visit my blog index.