Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
News Your Rights Online

Cookies are Security Hole in HTML Email 152

Richard Smith just keeps uncovering security holes. Today it's the Email Cookie Leak. By reading mail, you unknowingly register your email address in someone's database, and accept their cookie. Next time you browse their site, or a site they have banner ads or other GIFs on, you are essentially broadcasting your email address while you surf. As Smith points out, just wait until banner-ad companies start taking advantage of this. I repeat the suggestion I made in October: browsers (and all clients that speak HTTP) should reject cookies not sent with the page.
This discussion has been archived. No new comments can be posted.

Cookies are Security Hole in HTML Email

Comments Filter:
  • how many more reasons do you need?


  • Yes. I was also surprised when I realized that Java and JavaScript are automatically set to be useable in email as the default under Netscape mail... I turned that off promptly. Java execution in Netscape 4.7 seems to core an awful lot... which is really annoying.

    In any case, I run everything through my junkbuster proxy, which makes me feel happy and secure... I recommend junkbuster to anyone and everyone who values their privacy and hates banner advertisements... especially the ones on slashdot. ;)

  • From what I understand from the context of this bug, you can have a cookie be sent as a result of reading an HTML-encoded e-mail, right? Well, there's one problem I have with this. The only way for the cookie to be sent to a banner-ad company - who supposedly has a cookie on your computer - would be for them to spam you, and we all know how bad spamming is. Sure, an ad company could start to throw something like this together, but it would only be a matter of time before the FTC got wind of it and started shutting people down.

    If the e-mail was sent as a response to registering for software, or perhaps subscribing to some advertising-paid mailing list, then I suppose that would be legal. Even then, though, what good would linking the cookie to their e-mail address do but to promote more spam?

    There's no way anyone could economically prosper off of this bug, and if they do, it's illegal because of the spam factor, and won't appeal to reputable companies, who the advertising companies are targeting for money. Microsoft and Netscape should probably get this hole looked at, though, just in case something destructive could come from it.
  • It isn't too suprising that something like this happened.

    Browsers do warn you about sending information. Should they also warn about opening Emails? Perhaps a browser should check the email for cookies before opening. If it finds one, then it could warn you that this could be a security risk.

    Lets hope to god that those banner companies don't get in on this. They probably will, unless the Better Business Bureau or the Department of Commerce does something (if they even can) We can always hope. (or start writing to them)

    -Chompster
    Unexpected Kernel Trap at 101010
    Don't Panic!
  • This has prompted me to switch my Outlook98 settings to put Email in the 'Restricted Sites' Zone. I would suggest anyone else using Outlook/Outlook Express do the same. You can still enjoy the safe features of HTML Email (however pointless they may be) and be protected from most of the recent Outlook Exploits at the same time.

    I have been using plain text email for years and I see no reason to switch to HTML Email. I have outlook to send HTML Mail automatically, unless I'm replying to someone who sent mail to me in plain text. This way, basically all I'm using HTML Email for is to tell how sophificated the software of the reciepent/sender is ;-) I don't see a need for HTML Email, but I assume the 36 million people (99.9% lamers, unless they read /. of course) demand backgrounds and the ability to send emails to their friends with big, underlined annoying text. Tthat's my opinion on the matter anywhoo.

  • Honestly. They could have been collecting marketting information for a long time before this was discovered.

    Anybody here work for one of the ad companies and know if the banners collect cookies?


    -*-*-*- I'm a little segfault short and stout
    this is my handle, this is my spout!
  • I should have previewed that... I meant the 36 million AOL users.
  • by cdlu ( 65838 ) on Saturday December 04, 1999 @09:49AM (#1480110) Homepage
    I have yet to find any problems with reading mail in pine or mail (mailx to some people). My favourite way is actually 'cat /var/spool/mail/`whoami` | less' - unless you have c^Hch^H^ha^H^ar^Hr you can't even make something bold there, let alone leave cookies :)

    Anyhow, the point is that reading mail with special effects is proving to be more costly then its worth to those of us who value our privacy, and the general security of our email.

    Though - ANSI bombs are possible in mailx :)

    include "^[[10;1999]^[[11;1999]^G^[[12;1]^[[2J^[[1;1H^[[30 m^[[40m^^[[12;2]^[[2J^[[1;1H^[[30m^[[40m ^[[12;3]^[[2J^[[1;1H^[[30m^[[40m^[[12;4]^[[2J^[[1; 1H^[[30m^[[40m^[[12;5]^[[2J^[[1;1H^[[30m ^[[40m^[[12;6]^[[2J^[[1;1H^[[30m^[[40m[[31m^[[5m^[ [20;20HMAILX IS NO SAFER THEN NETSCAPE MAIL!!^[[K^G" in a message and open it with mailx or cat, (on a linux console). (Replace ^[ with \x1B or \33 or however else you want to put ESCape there, and ^G with control-G. All other ^ are the property of their respective control characters. :))

    Don't^H^H^H^H try this at home!
  • Why even let your web browser know what your email address is? Its not necessary ... most people dont even use their web browsers to send mail anyways(unless ie and outlook are so joined together ... possibly)

    Erik
  • Let us see now, if I can predict the future:
    • Gathering starts for sites. Banner ad sites start grepping their logs and recording addresses.
    • Several knoledgeable anti-spam activists (including the Lumber Cartel(tinlc)) start browsing with tracking numbers.
    • Spammers get the lists and spew out junk
    • BOTH Spammers and Banner ad providers get nailed because people connected with who gathered the ads.
    • MAPS gets more subscribers and users.

    I think if the banner ad folks want to stay in business, they stay away from cookies. Otherwize it's a quick one way trip to bankruptcy.



    ---
    Another non-functioning site was "uncertainty.microsoft.com." The purpose of that site was not known. -- MSNBC 10-26-1999 on MS crack

  • This is nothing new. The practice of sending cookies with GIFs (or GET for GIFs) has always been a problem. Naturally any email client (HTML or not) stupid enough to support this will open up the user to a variety of abuse.

    First of all, note that there is nothing "groundbreaking" in this discovery. All this happens only if you are unlucky enough to have your email address in the hands of spammers, which is already as bad as it gets.

    What can you do to prevent such abuse? Several things: Turn off HTML enabling for your email clients (you may or may not have a choice depending on the client). Restrict (or disallow) cookies in your web browser. Use something like Junk Buster [junkbuster.com].

    Sreeram.

  • by Money__ ( 87045 ) on Saturday December 04, 1999 @09:56AM (#1480115)
    From the article In Netscape Messenger, the GET request looks like: GET /sync.gif?email=john@doe.com HTTP/1.0
    Connection: Keep-Alive
    User-Agent: Mozilla/4.7 [en] (Win98; I)
    Host: www.mybannerads.com
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png
    Accept-Encoding: gzip
    Accept-Language: en
    Accept-Charset: iso-8859-1,*,utf-8
    Cookie: id=c643640a

    Both the Email address and cookie value is included in the Outlook and Messenger GET requests. When the GET request is processed by the MyBannerAds server. It first extracts the customer id number from the cookie and looks it up its database of "anonymous" profiles of Web surfers. Once it has located the profile, it then extracts the Email address from the URL query string, turning a once "anonymous" profile into an "identified" profile.

    So where does MyBannerAds get the Email addresses in first place to send out a message which includes the SYNC.GIF file? The answer is quite simple, they "rent" the Email addresses. Or more specifically, the rent space in junk Email messages that are already being sent out. The IMG tags typically take less than 100 bytes, so they can easily be embedded in messages that are part of any Email ad campaign that is using HTML Email messages.
    Another interesting discusion about HTML Email and cookies can be found @: http://www.tiac.net/users/smiths /privacy/wbfaq.htm [tiac.net]

  • > Is it possible that cookie info is stored in multiple places on modern browsers?

    More reason to go to an open source browser.

    Also, it would be nice to be able to hack your browser to support cookies only from authorized sites. That way you could enable them for your /. login (if you so wished), but no one else. I leave them enabled with confirmation required in Netscape, but I really get tired of having to click 'no' up to 7 times per page at some sites.


    > Anybody got a decent URL for cleaning out the cookie jar?

    I haven't checked lately, but the GTK+ Application Repository [unc.edu] used to have a cookie editor. It was submitted quite a while back, so you may have to hack it a bit to make it work with the more recent GTK libraries.

    --
    It's October 6th. Where's W2K? Over the horizon again, eh?
  • Netscape doesn't know my email address. java and javascript are disabled. And whenever anything blinks at me, I check the url and feed something to junkbuster to prevent it from happening again (sorry, hemos--yours blink, too :)

  • by Hrunting ( 2191 ) on Saturday December 04, 1999 @10:01AM (#1480118) Homepage
    I'm glad we live in a world where Slashdot's YRO keeps us vigilant against the supposedly harmful effects of Internet society. I mean, if you think about it, there are many more Internet technologies that can, when used improperly, cause security violations on your system.

    In this case, browsers simply need to be setup to function as individual components. The web browser should not have access to the same mechanisms as an e-mail client. HTML e-mail is different from loading a web page and should be treated as such. Cookies are not a part of HTML; they are a part of HTTP! The browsers shouldn't confuse the two. This isn't a problem with the implementations of cookies, this is a problem with the implementation of HTML e-mail and the web browser.

    And the idea that loading cookies from only that page is ludicrous. The whole idea is to be able to give an entire site access to information so that you can do things on different pages with similar information without having to repeatedly ask for that information. There's nothing in the HTTP specification that makes this harmful. Someone simply didn't implement the specification properly so now clients can share cookie files, leading to a possible hidden exchange of data between them.
  • I would suggest anyone else using Outlook/Outlook Express do the same. You can still enjoy the safe features of HTML Email (however pointless they may be) and be protected from most of the recent Outlook Exploits at the same time.

    If you read the article, you'll find that you're still at risk with Outlook in 'Restricted Sites' Zone.

  • You mean, people use non-dedicated email programs for reading mail? Bleech. Why would I give up my pine/eudora/balsa/whatever single-purpose mail client and have to deal with all the nasty side effects? Not to mention loosing all the cool mail-specific features that are optimized for the mail client, instead of just sort of being "thrown in" to match the functionality?

    -Chris
  • There's no way anyone could economically prosper off of this bug, and if they do, it's illegal because of the spam factor, and won't appeal to reputable companies
    Is TurboTax a reputable company? See this TBTF entry that TurboTax email tries to tell them when you read the mail [tbtf.com]. Yup, they tucked hidden HTML codes in their email.
  • (unless ie and outlook are so joined together ... possibly) They are....

    Bad Command Or File Name
  • If you had actually read Richard Smith's article, you'll see that he addresses the issue of how the Ad company actually gets the email to the user:

    1. Rent space on a mailing list where advertising is already sent out. Embed invisible GIFs in the email.

    2. Get into the email servicing business or acquire an email servicing company.

    Even then, though, what good would linking the cookie to their e-mail address do but to promote more spam?

    From the company's point of view, it allows them to build better user profiles. e.g. several companies could get together and combine their databases (based on the email addresses that they now have) to build a profile of you the user.

    won't appeal to reputable companies, who the advertising companies are targeting for money.

    Think RealJukebox.




  • Okay. So what we need is a proxy that ties in with the email software.
    So.. when someone spams you.. fine.. they spammed you. Your email software simply finds out the valid URLs for the cookie, and blocks them. Who wants to give business to spammers anyway?

    Also.. on another note, this makes it hard for the spammer to hide, like they do these days.. using temporary accounts, etc....
    They would be eaten alive and sued like mad.
  • The point is, when they spam you, they add your email address in the message on their end. Sending an email to journey@jps.net? Your image callout would be "foo.gif?journey@jps.net". It won't matter if your browser thinks you're president@whitehouse.gov.

    Added fun: if you receive mail at multiple addresses, they can relate all those email addresses to the same cookie set. Including emails you might receive through anonymizing systems, e.g. they'd know that "862139@anon.penet.fi"[1] was the same user as "journey@jps.net".

    -Peter

    [1] RIP

  • I don't have a url, but I believe you have to shut down netscape before removing the cookie file. Netscape reads it into memory when it runs, and writes the whole thing back when it exits... so removing it while netscape is running is fruitless.
  • I'm glad we live in a world where Slashdot's YRO keeps us vigilant against the supposedly harmful effects of Internet society. I mean, if you think about it, there are many more Internet technologies that can, when used improperly, cause security violations on your system.

    Why are security holes even part of YRO? There should be a separate slashdot security section setup. (sorry!)

  • Old trick on how to automatically reject any cookies and avoid being bugged by pages requesting to put cookies:

    1. cd ~/.netscape
    2. rm cookies
    3. touch cookies
    4. chmod a-w cookies

  • If I had mod points today, I'd toss you some.

    Very good point.

    It's not the HTML that's the problem, it's the access to HTTP that is.
  • Educating users on how to secure their mail and how to use a virus scanner is a no go area when it comes to stuff like this (thus speaks a Bob of 2 years experience before anyone asks...). I mean we can *suggest* it to them but "that's your job, isn't it??". End rant.. :-)

    Securing a server against HTML mail would spark outrage and nice letters from lawyers of course but on my own server.... worth looking into methinks (more a case of hatred towards HTML mail than paranoia). An "Ask Slashdot" in the making? Perhaps.

    Suggestion to the people who develop e-mail clients (hello Washington University in my case) - can we have some sort of filter that just says "it's HTML mail, good bye *zap!*"

    Enough rambling from me... 3 posts today, I'm beginning to feel like a bus company...

    *bounces off merrily*
  • The article discussed using a HTTP request for a gif to send your email address to the web server. Then the server would set a cookie on your system. With Outlook in the "Restricted' zone, cookies are disabled (unless you messed with the settings) and thus, a cookie would not be set(unless there's another bug somewhere I don't know about). When you later visit the site that spammed you, there is no cookie because outlook didn't save it.

    I send all my spam to spamrecycle@chooseyourmail.com [mailto]; which is inherently a huge mistake, but I hope they're doing something constructive with the info...
  • No there is a reason I use cat file | less rather then less file; here goes...

    when you use less /var/spool/mail/`whoami`, then it shows up in in user userlisting 'w' what you are doing. If you use cat | less, you go to end of the file then go back it shows up as - ?, which affords more privacy.
  • I'm not sure how this really qualifies as a security risk. After reading the /. summary I figured out exactally what was done. I thought this kind of thing was common place... Anyways, the point is not to let some fsckin spammer get your email address!!! Besides, can you imagine what a pain in the rear it would be if we restricted what could be passed over the http protocol and recieve a cookie with... What would stop somebody from doing the same thing with frames tied to a cgi script? Come on. I'm sure some email clients will even accept frames... One last thing, instead of everybody in the world not allowing cookies to be set, why don't you just delete cookies upon login or reboot or something. The only way info about you is really gunna matter is if a lot of it is gathered, enough to link some guy clicking on stuff with what goes on in your head. But if you just delete your cookies daily, no bastards can track you around the net and you will still be able to use sites that maintain state with cookies. Better yet, just write a little script that edits your cookies file and removes all of the sites that you haven't approved every time you login...
  • For Netscape on a Mac:
    Go to your Netscape User Profile folder,
    Delete the MagicCookie file.
    Make a new folder, call it MagicCookie.
    Badda-Boom, Badda-Bing.

    Pope
  • by Anonymous Coward
    The problem is, HTML can generate HTTP hits (for images). This is actually a fairly standard mechanism for doubleclick. They get a single-pixel or inconsequential GIF on your web page, and trade cookies with the server.

    Philip Greenspun, da man of open-source cool-ass online communities says, in an absolutely brilliant chapter [photo.net] on user tracking:

    "I want to know the age, sex, and zip code of every person who visited my site so that I can prepare a brochure for advertisers."

    The traditional answer to this request is "All you can get is the IP address; HTTP is an anonymous peer-to-peer protocol." Then Netscape came out with the Magic Cookie protocol in 1994. It looked pretty innocent to me. The server gives me a cookie. My browser gives it back to the server. Now I can have a shopping basket. My friends all said, "This is the end of privacy on the Internet, Greenspun, and you're a pinhead if you can't figure out why."

    -Stephen van Egmond svanegmond@home.com
  • I'm just wondering, since some newsreaders also seem to be able to understand HTML - would this then be a problem in usenet newsgroups too?

    Obviously they wouldn't be able to get your email address, but take the situation where while surfing you're given a non-unique cookie which contains a unique number inside it (possibly from a banner ad on the page). In the usenet groups is a message which contains the hidden gif that requests the contents of this cookie. Your unique number goes back to the company, the company matches that up with their database, and voila, instant profile of not only your web-browsing habits, your e-mail address, but your newsgroup access as well.

    Kwil
  • by Anonymous Coward
    Anyone out there have a script to use as a mail pre-processor? I'd like to remove all cookies and references to HTML tags even before the message hits the mailbox.

    On a side note, I've had great luck using grep to filter out cookies after Netscape exits. (Needed for people that refuse to use a proxy like Junkbuster.)

    Here's my (quick and dirty) cookie filter;

    mv cookies cookies.old
    cat cookies.old | grep -v doubleclick.com > cookies

    It's easy to add on new sites, but I'm looking into using the Junkbuster lists to perform the same tasks.

    The same basic script could be used to strip out all lines with HTML pointing to a banner add - even if no other HTML is removed.
  • Excellent Point. After reading your suggestion, I went and did that to my Outlook as well. The trouble with this is, people with web based accounts, such as Hotmail or Yahoo, can't do that.
  • Don't read HTML email. What's the point anyway?

    Who needs bold when you have CAPS?

    Who needs italics when you have /slashes/ and *asterisks*?

    Who needs underline when you have _underscore_?

    Personally, if I get HTML formatted email from someone I don't know I trash it immediately. If someone is dumb enough to use that garbage for email then I wont read it.

    My email client of choice is Mailsmith [barebones.com] (sorry, Mac only). It is the most comprehensive client I have found... and it doesn't have any bloat on it like HTML email (THANK GOODNESS). It also lets you do queries (grep if you want to) of your email database. Also has other cool things like text manipulation, assignable key commands, and full AppleScript integration that other mail clients don't have. All this, and Bare Bones Software has the best customer support in the world.

    Beats the hell out of Microsoft Outlook Express that most of my friends use. Blech!

    Too bad Apple killed Claris Emailer, it was kinda cool too.

    Pine is still my favorite command-line email program. No need to worry about HTML email with that one either :)

    Ben
  • Here's a script [festing.org] that can be run from a cron job or each time you start/stop Netscape.

    Basicly, you just need to create a .cookies.allow file in your home directory containing the names of hosts (e.g. slashdot.org) for which cookies are ok. Cookies from anywhere else gets deleted each time the program is run. Makes it nice and easy to automate, since you don't have to go in and manually delete nasty cookies.

    If you have any questions about setting it up, email me.

  • ... is that email was designed with plaintext in view. If you want HTML, please go to a Website. Email has never been designed to be some lame, contorted "sub-Website" that runs on HTML!!!! The problem is that people have this bells-and-whistles mentality: "Oh, it will be so cool if my email has HTML formatting! Oh, it will be so cool if my email can contain inline images! Oh it will be so cool if my email can contain JavaScript animations! Oh it will be so cool if my email can run cool programs on my computer automagically! Oh it will be so NOT cool when my email can format my hard drive!"

    Email with HTML is just disgusting. Especially the way it's currently done by the lame mailers that allow it: a plaintext version in the body of the email, plus an *attachment* with the HTML-ized version of the plaintext. Or worse with this annoying featurism trend, you have MS-TNEF attachments containing who knows what. I mean, WTF?!?! Talk about bloat. No wonder network bandwidth is always so congested. What's the f***ing problem with plaintext email anyways?!

    Those people who really want this kind of sick featurism should seriously consider designing a NEW protocol, NOT EMAIL, that transports this kind of crap. And I think I know what that is, too. Automatically send a ZIP file containing HTML, GIFs, JavaScript, the whole ball of crap, and the User Agent on the other end automatically decompress the ZIP, run the browser to view it.

    Alright, enough of this rant. But I just can't emphasize enough that featurism always leads to crappy implementations which in turn introduces all kinds of problems, like security holes, because the original protocol was never designed to support this kinds of "features".

  • Browsers don't warn you about sending a request for an image. Read the article. Email containing HTML which requests an image can contain a URL with a code which uniquely identifies you. The server which processes that request is what picks up the ID which was sent you to, so they know you read that email.
  • And the idea that loading cookies from only that page is ludicrous.
    I think "jamie" mispoke. He (She? Who is this person, anyway?) probably meant that cookies should only be accepted from the site that the page came from, i.e. the machine specified in the URL. This is not the way the cookie specification currently works.

    Cookies may only be sent to the machine that created them, and even then only when a client initiates a connection with that machine. The problem is that loading one HTML page usually involves a number of http connections, which may or may not all be going to the same machine, and which the user (usually) has no control over. (That's why, for example, most users involuntarily visit ads.doubleclick.net several times a day.)

    So the solution to most of these problems is to allow the browser to accept cookies only from the site that the user is actually visiting, or the "page". A few browsers have had a setting that did just that... I think the Mac version of IE 3.0 did, for example. But it's not around much anymore, which is a shame. (Although in recent versions of IE, you can always manually put suspicious sites in your "Restricted" list, and set the browser to refuse cookies from those sites.)
  • But if there is any HTML in the email, and your email program retrieves something from a server, that can be logged. The trigger is usually actually a retrieval of an IMG URL, with the URL of the image containing a code which identifies you. Cookie stuff is an additional tracking method.
  • Yeah, so perhaps (as said before) this is not a problem with the people sending the email, but with HTTP/HTML itself.

    -Chompster
    Unexpected Kernel Trap at 101010
    Don't Panic!
  • by pb ( 1020 )
    Looks like elm is still safe, for the foreseeable future. :P
    ---
    pb Reply or e-mail rather than vaguely moderate [152.7.41.11].
  • The solution that would be perfect for me is simply to have some small 'window' displaying when a cookie is added or updated. A floating window built into the browser, or a seperate program that catches cookie changes could do it. Of course if the cookie file is only updated when something like Netscape closes, an outside app might not be able to tell you what happened until after you close the browser, which wouldn't be as convenient.

    But, if this worked, I could allow cookies to be initially accepted, which is far more convenient than clicking on half a dozen yes/no boxes every time I want to log in to a web site. Since I'd be able to see when cookies appear and where they originate from, I could also catch the troublemakers as they appear and just delete them on the spot.

    Would it be possible to write a program to do this (Windoze or Linux)? I know that the cookie file, despite the warning that it shouldn't be edited, is a pretty simple text file with one line per cookie, and it's not too hard to sift out some obvious offenders after you're done browsing. I don't suppose it's that easy to modify cookies while you're actually browsing stuff though. Having notice of this info while browsing would be far more convenient though, and would save you the trouble of figuring out where a cookie came from that just has an IP address for its origin. (Not that that's terribly difficult, but its just a bit more of a bother.) If a web browser could be made with this feature built-in, it shouldn't be a problem at all to code and I would be eternally grateful (hint hint Mozilla!).

  • by Anonymous Coward

    Better yet:

    Open the cookie file in BBEdit, delete all cookies except for those from sites that you trust which store auto-login info in a cookie.

    Save and lock the file.
  • If you still want HTML formatted emails and you want to avoid this problem, you can turn off images and those GET requests containing your email address will not be made.
  • Is there any way to simply rip all the HTML functionality out of Outlook98? I really don't want/need it - all it is, is annoying...
  • I use a program called AT Guard that will block banner ads, and any other html string. Its a o/s based firewall thats very customizable. (ICMP,TCP,PORTS, Filters)
    I also edit my cookies file every so often, and delete all those nasty banner cookies.

  • Sure, if you're reading news with Netscape. The GIF doesn't need to be hidden, either; visible ones work just as well, you just notice them.
    Since a large fraction of the spam on Usenet is porn anyway, having visible pictures doesn't surprise people.
  • Yes, but, AFAIK, Hotmail and Yahoomail and most of those services do not send out HTML mail; if they tried to do this, the bottom of messages would look like:
    -------------------------------
    Use SillyMailService(tm)!
    http://www.sillymail.com/

    Which would look very odd to most people, and not effectively track anybody. And I hope there is no service called SillyMail.

  • Yes, but, AFAIK, Hotmail and Yahoomail and most of those services do not send out HTML mail; if they tried to do this, the bottom of messages would look like:
    -------------------------------
    Use SillyMailService(tm)!
    http://www.sillymail.com/
    <IMG SRC="http://www.sillymail.com/trackme.cgi?jrl@site .com" WIDTH=1 HEIGHT=1>

    Which would look very odd to most people, and not effectively track anybody. And I hope there is no service called SillyMail. [Sorry, /. converted my &lt; into an < on preview then removed it on submit the first time.]

  • Certainly there is a way. Just ask Microsoft [microsoft.com] to remove HTML from Outlook.
  • It doesn't matter that Netscape doesn't know your email address. If it checks your email, the hole is there.

    Check this scenario:

    • I send HTML email to you@you.com with an image at the URL http://me.com/emailtrack/4321
    • You read your email and Netscape loads the image at the URL http://me.com/emailtrack/4321
    • My server says "oh, /emailtrack/4321 was sent to you@you.com so now I'll put a cookie on that machine that relates to you@you.com

    So now, any time (unless you clean your cookies or whatever) that you visit me.com you will send a cookie to my server and my server will know that you are you@you.com

    See... I don't know why this is a big deal. It is actually pretty easy to implement.

  • HTML Email itself is a security risk. ALL browsers have security holes, and these holes have included things as serious as the ability to read arbitrary files, delete system files, and other nasties. I have seen the code for a page that will delete kernel32.dll on a Windows box running IE4.x or 5.x (given that the user has permissions on the file if you're running under NT) [code kiddies, don't ask for this, if you really want it, check out the bugtraq archives, Gregori Guninski is a genius], and Netscape has flaws that are just as bad [Netscape seems to have quite a bit more flaws than IE, I'm sad to say, which makes me an IE man]. In an effort to make browsers do more, there is a lot of the systems functionality integrated into the browsing experience, and with that exist ways to exploit those functionalities in nasty ways.

    This cookies thing is just a drop in the bucket. If you still use HTML enabled email, you're asking for someone to drop you a bomb. If you really like a Microsoft mail client and you want to continue to be able to see HTML mail, make sure you put it in restricted zone! (it's in options) This won't totally protect you, unless you have "Internet Zone" security as high as it goes, because all it takes is for someone to drop an iframe in the email source (yes it's totally possible), and that iframe is a pointer to a page that whams you.
  • by ColinG ( 86915 ) on Saturday December 04, 1999 @12:22PM (#1480169) Homepage

    Go to freshmeat [freshmeat.net] and type in 'junkbuster'. :)

    It's a personal filtering proxy that has the primary focus of replacing ad banners with a clear 1 square pixel gif image... it, however, has the added bonus of replacing your browser ID tag with something you specify (ie, you're a large corporation that has microsoft users inside, but externally, it looks like everyone is running netscape- great for image) as well as blocking cookies entirely from anyone you don't trust. Very cool software.

    It has a windows port, a linux/unix port, and a MacOS port, and, if you just want to try it out, I believe there is a trial proxy server that you just specify in your netscape prefs.... last I checked it was purposely speed limited so that you would just install your own.

    Best of all, it's free.

  • I will concede that there are many useful features of using a POP/IMAP client like Outlook or Communicator for reading email and newsgroups, but it seems that more security vulnerabilities and privacy concerns are brought to light with these programs daily. If you value your privacy and desire (relative) security, use a UNIX shell client such as elm, pine, mutt, etc. These can do most, if not all, of the things that a complex POP/IMAP client can. And what they can't do isn't worth doing, in my opinion.

    Or, if you're a serious masochist, you can even use Emacs to read your email ...
  • fwiw, you can also do this with squid, with the added bonus of squid's excellent caching.
  • Here is a mainstream press article on it from then - http://www.idg.net/crd_sites_9-46489.html [idg.net].

    At the time both NS and MS said they would fix it. I guess they didn't...

    Benjamin Franz

  • I last tried Junkbuster about six months ago. At that time, the Windows client didn't have the functionality to replace ad-images with clear gifs (it would replace them with "broken image" instead) -- is that "fixed" in the latest release?

    Alex Bischoff
    ---

  • by Plasmic ( 26063 ) on Saturday December 04, 1999 @12:46PM (#1480175)
    It's more of a privacy hole than a security hole (in the context that you used 'security').

    People being able to acquire personal information and monitor your browsing habits without you knowing it doesn't increase the risk of them stealing your important files or sabotaging your network, it simply allows companies to violate Your Rights Online.
  • When I use Windows, I primarily use Eudora [eudora.com].. Is there any way to force Eudora to ignore HTML formatting? In addition to the potential security flaws, I just find HTML formatting (in e-mail) to be annoying :-/.

    Alternatively, is there any way to connect Eudora to an "e-mail proxy" to get the same functionality?

    Alex Bischoff
    ---

  • Seems to me that what's needed is for some enterprising individual with the right skillset (and more time than me) to write up a script (and then share it around widely) that will silently pass mail unless triggered by one of these Web Bug hooks (part of an established mail filter might do just fine).
    On finding one, it should issue somewhere more than ten GETs (a hundred or more would be nice if you've got the bandwidth, we're talking about HTTP GETs here, not mailings) to that site, each time with a different cookie value, none of them the one that was sent.

    If enough of us do this, the pool should be poisoned nicely. When they get wise to it, we'll have to advance to cronning the additional GETs.
    We might also add it into a signature-file generator for any outgoing HTML mail, especially replies.

    Maybe we can't help tying a ribbon around the tree with the pot of gold at the bottom of it, but we can tie a ribbon to every other tree as well.
  • No, you miss the point.
    Yes, it's fairly innocent, and cookies have been given a bad rap...

    The issue at hand is:
    1) I can send out tons of spam that uses this 'feature' to place a cookie on everyone's machine. I can also ensure that this 'cookie' contains their email address, because I *know* their email address.
    2) Now, whenever this person visits my site, it sends me their email address.

    It's an underhanded way of making sure that you *do* get the email addresses of visitors to your site. Yes, you could say you already have them.. but now you know when that particular person visits your site, and it's that much easier to track them down.

    As for saying that HTML can generate HTTP hits.. no.. that is patently false.
    HTML specifies the markup language, not the mechanism used to fetch objects. WHat the previous post said was that you can have HTML without HTTP, and he's entirely correct. What about pages that are on your HD? They dont' use *any* http to mark up a page with lots of graphics...

    So what he's saying is that the security model of the html renderer for the mua should not permit access to HTTP facilities. IF there are embedded images, they should be contained as attachments, and referenced as such.
  • In Eudora Pro you can tell it to stip html formatting from messages. I don't think in the light version though.
  • An easy way to remove unwanted cookies is directly edit the cookie file (Under *nix that is, I don't know about Windows). For netscape (edit it while netscape isn't up), the file is $HOME/.netscape/cookies

    Each cookie is a line, starting with the domain. I edit it occasionally and delete entire lines. Works great for me.

    As far as disabling cookies (not just removing them occasionally), is that some pages require cookies to work, which is bad design in my opinion. In most cases. Sometimes you need cookies; eg. slashdot.
  • In windows, there is a nice app called Cookie Pal that does this. To use it, you have to enable the alert message boxes for cookies in your web browser (netscape and IE both do this). Cookie Pal intercepts these dialog boxes and accepts or rejects for you base on settings you choose. Very nice. I would recomend it.
  • A proxy could do this (I don't know if any [such as junkbusters] already do).
    It kind of brings up an interesting idea though. Banner adverts fund sites right? So what if ISPs, perhaps an especially "popular" one like AOL decided to start intercepting the requests for the banner ads and substituted their own? (Apparently there are already "in-line" caches out there that are invisible to the client.) What would be the legal ramifications? Rich
  • Unfortunately Mailsmith doesn't support IMAP yet. But I've found Mulberry great for my needs (Mac and Windows, Unix coming soon). It has a nice feature of letting you read the mail in plain text, formatted text, or raw text mode, so you can filter out the HTML if you like, or read it with the formatting, or see it with the source. It doesn't support all that Javascript crap anyways, just the formatting pieces of HTML which make sense to support, like bold and italics.

    Personally I find HTML email to be stupid for the most part, but part of the problem is how heavily the HTML clients try to push you to use it, just like with proprietary tags in browsers. They know the more HTML crap you get in the mail, the more you'll feel you're missing something by not using their stupid client. Most people who send HTML mail don't even realize they're doing it. And a lot don't realize that not everyone sees it the way they do. The biggest annoyance for me is when I'm just reading my mail in mailx (I don't do it that often anymore, just when I'm in a hurry or not near my mail client- IMAP is nice enough to keep my mail still readable in the shell) and there's all that HTML crap sitting there in the message. Sadly, I get a lot of legit HTML mail from people commenting on my websites (and the people at work who don't know better) so I can't just delete it all.

    Seems to me the best way to support HTML in mail is not to support the whole darn thing (after all, this is mail, not a browser) but to support an appropriate XML language which is a subset of it which is useful for mail, and possibly use some special tags which could be special for mail (for followups, quoting and stuff). Actually I remember seeing a proposal about this on the W3C site, but I can't recall the name or find it on their site now.

    Seems like this problem could be a danger in any mail client which stores browser cookies, and probably would not require Javascript (wouldn't loading an ad image on a page get that cookie there as well?)
  • Do any of the standard server-based spam filters filter for this sort of stuff? I would have thought that things like IMG tags, especially with GET variables attached and/or 1x1 size, would be a dead giveaway when trying to identify spam.
  • Let's stick to reporting things that haven't happened yet. Just reprint those press releases-- that way you're bound to remain on the cutting edge of things to come.

    This reporting and investigating things that have already occurred really doesn't suit the information age. What possible benefit is there to bringing up current abuses and malfeasence? There is far too much malfeasence yet to come that we need to hastily and fretfully anticipate!
  • Is the following correct??
    Its not just that an email client can parse html that will result in a future website visit reveal cookie info sent via email, but the browser Im surfing with has to be the same browser i read the email with? So my browser shouldnt know what Eudora (which does not launch a browser but just *parses* the email) knows.
  • In a related story [lycos.com] published in April on Wired, the use of redirect hyperlinks to track email by Deja is described.

    Deja is basically tracking your creation of an email response to an article on their site.

    According to the article:

    "Deja News could also record -- and log -- the use of the link, the IP address of the sender, and the addressee's email [address]."

    The ACLU has some rather pithy comments on Deja's practices in this area, including the possibility that Deja is in violation of the Electronics Communications Privacy Act by intercepting these transactions.

    Not to worry though, Deja is a member of TrustE.

  • I guess this note will never meet the sight of most of the /.ers, but I had to bring this up because I found it an inherent flaw in Moderation in /.

    Do you remember the discussion about CEO of Novell and his apparent stolen credit card numbers ?? Well I had posted this story as reply number 37 [slashdot.org]. Furthermore an AC had actually replied with the same link as used in this story.No moderator seems to have found it fit to give any extra points. But now, a whole new discussion with 90 replies seem to have started.


    Hm.. A failure of /. Moderation Method (TM) ??
  • How hard would it be to set up the email clents with a REJECT button, causing compliant mail servers to send a daemon error saying user does not exist or even "Your mail has been REJECTED by the recipient" ?

    I think it would be a BITCHIN spam killer...

    Cobratek
  • You or he should have submitted it as a story.

  • Even more reason to use Freedom from Zero-Knowledge at www.zeroknowledge.com. The
    product is not out yet, it's in beta testing stage. It supports you having multiple anonymous
    pseudonyms, works at the IP layer (I think) and filters all identifying information that it can find from your packets and ties them in with the pseudonym you select. Cookies go into separate cookie jars for each pseudonym. Quite cool.

    I have a beta evaluation copy: haven't used
    it too much, though it does slow down surfing a bit over a 56K modem connection.

    Yumpee
  • If you are running a pop mail account, why are you using outlook for your mail? Because it was free and given to you? There is no free ride. Every thing comes with a price tag - your privicy.

    I have Eudora as my mail client and so far have not a cookie problem. If you are concerned about this problem, get a e-mail client other than outlook. Problem is that you will have spend money. This will not work with your free e-mail services like hotmail or yahoo and there kind.

    You get what you pays for!
  • How can junkbuster remove parts of an image URL? If it does not know which parts of a URL are an identification code, it can't block an HTML-interpreting email program from leaking info back to the sender's server.

    For example, several months ago TurboTax sent email announcing their newest update. The email included HTML which told TurboTax when you read the mail [tbtf.com]. It was just a retrieval of an image with a certain code to identify who they sent the mail to.

  • Also, it would be nice to be able to hack your browser to support cookies only from authorized sites

    Actually, you can do this with IE5. Which is not an implicit endorsement of the product, but it IS a nice feature. (Of course, Lynx also has this feature).
  • Great, I'll have to give that a try. Not exactly what I described, but still sounds very helpful. The only difference really is that it still just automatically chooses 'yes' or 'no' for you, still feels like less control over the information bouncing around in my PC (and you still might not know which sites tend to have the most offensive ad banners, etc). Once I try it out I'll probably change my mind , I'll have to see how well it catches nasty ad cookies while allowing me to log in and shop at various sites. :)

    Sounds like this is probably the best option possible, until a web browser actually offers the features I described built-in. I'll have to actually drop hints to the Mozilla team. ;)

  • Netscape on UNIX has this option ("Only accept cookies originating from the same server as the page being viewed"), and has since at least version 3.0.

    Netscape on Windows has an option in the same place called "Only accept cookies that are sent to originating server" -- I don't know if this means don't accept .co.uk or other idiotic domains (which would break things like sharing a login between www.yahoo.com and quote.yahoo.com), or if it is just dumbspeak for the same thing NS UNIX supports (I suspect it is the latter). I don't use windows much, so I haven't investigated.

    On Linux, using netscape, I haven't seen a cookie from doubleclick in over a year (I prune my cookie file regularly as well)
  • Will setting netscape to only accept cookies going back to the originating server prevent this?
  • recent versions of exchange support POP and IMAP.
    Depending on how your admin has things set up,
    you might be able to point an IMAP client
    against your exchange server
  • pine reads html mail and shows it as text, so images aren't autonatically requested.
  • It's a big deal because, (I'm not implying they have done this already, btw), doubleclick, for example, could send out a spam and use this method to place cookies for doubleclick in everyone's computer that has that persons email addres.
    So.. now, without *asking* you for your email information, they have caused your browser to inform them of your email address every time they visit a site with a doubleclick ad.

    Now, you say, they already had your email address.. yes, that is true. But they did *not* have a way to tie it into who was visiting what site when...
  • I meant that I don't see why it is suddenly such a big deal. It has been possible (and not all that difficult) since the dawn of HTML email. Nothing has changed.
  • by Anonymous Coward
    Argh! Are there ANY companies on the 'net that have any ethics regarding users privacy? I started using Deja for usenet searches recently; I had previously used Altavista but after they implemented their recent front-end revamp I can't seem to find the place to do usenet searches anymore.

    Can anyone suggest an alternative engine for usenet searches?

  • Actually Freedom's out. Came out December 1st. You probably won't even read this but hey, what the hell. Anyways, check out there new site at http://www.freedom.net . It's $49.95 for 5 nyms which can be used for a year each. If you only use 1 nym you can use it for 5 years. Pretty good deal inmy opinion. And if you were a beta tester they should have sent you a release email with a promo code for 10 bucks off. I tried to order a couple of times and they're web based purchase crap was broken :-/ I called and the lady said she call me back in ten minutes, about 30 hours later I'm still waiting.
  • On my box, the default for "Restricted Sites" seems to allow JavaScript ("Active Scripting"), but does disallow cookies. There's several known JavaScript holes with IE/OE.

    Moral: MS users - make sure to customize your security settings.
    --
  • by Tim C ( 15259 ) on Saturday December 04, 1999 @09:48PM (#1480219)
    Something I haven't seen anyone else mention (but then I browse at Score 2 :o) ), is that this does more than allows spammers to build up a profile of you and tie it to your email address. It also proves that the address is valid.

    No longer will they have to rely on people following their "unsubscribe" instructions; merely reading the email will be enough to confirm that there is someone/something on the other end of the address they bought/harvested. They can then add the address to their list of confirmed active accounts - a pretty valuable thing to have, especially if you're in the business of selling addresses...

    Tim
  • Yes, email clients saving cookies is a bug.

    But, in the thirty seconds it took me to read your message I thought of another way to do it that would catch a lot of people.

    Include an image in the page, the URL of which contains a different ID for each person the email was sent to, but which returns the same picture.

    The website records IPs and then if it gets a cookie set by one of the banner sites in some period of time it assumes it's the same person.

    My solution would be that email have to include all the secondary files (images, etc) as attachments and load the local copies. So, unless the user clicks on a link (which would be passed to the webbrowser window) nothing external needs to be loaded.

    I'd also recommend to anyone writing a browser that they not let any pluggins load from a page received in email without the user clicking a link.

    Not loading cookies from anywhere except the domain in the location bar seems to be a good idea. (Otherwise all it takes even with a 'only load cookies from the open page' setting would be to open an invisible frame and load something in it.
  • I remember reading a .sig file a while ago that said:

    "There is a special place in hell reserved for people who use html email."

    (Sorry, I can't remember who it was, but I believe it was a /. reader. Credit where credit is due.)

    My sentiment exactly. I read everything in a shell with pine. Ain't no cookies going anywhere there... unless I missed something? Of course thats the personal mail. At work, I'm forced to use Outlook, but I am behind a firewall.

    Email is text... and maybe attached files. It you want to imply bold, * * it.

    No damn font changes, inline pics, none of that crap, that's why it's 7 bit. ;) (No flames please about the real legacy reasons that it's 7 bit, I know.)

    The purpose of email is to convey information. Text does that just fine for me. If you send me html formatted messages, pine can't read them, I'm not going to go to the trouble to save and view them, and you have failed to convey your message... so sorry. Now I find out that it's a nice security benefit as well. I always knew I was on the right track.

    It's sorta like web pages that are all filled up with Java and the like, I can't see them in lynx, so I can't get your content. Again, sorry, but you have lost a visitor.

    Russ
  • Instead of denying write permission to the file (browser might get suspicious), how about % ln -s /dev/null cookies That way they can scribble all they want, they go away happy, you just have to empty the bit bucket a bit more often. cheers...
    --
  • Embed invisible GIFs in the email.

    No. Don't embed the invisible GIF itself, but rather an IMG tag that points to an invisible GIF hosted somewhere on the Net. Tack on extra tracking information to the GIF's URL if desired, which later can be parsed on the server side.

    Embedding the GIF itself in the e-mail message wouldn't do anything useful.
  • >>only a limited number of people have the ability to post original stories

    I thought everyone had equal chance of getting their stories posted. Am I mistaken ??
  • This thread is really about misuse of cookies, but the problem would be less severe if cookies were used less often in the first place. I wonder if they're being used as a universal panacea in areas where they're not really necessary.

    What are the viable alternatives to cookies, at least for some applications? Are there any good web resources that discuss this kind of thing and offer means of avoiding cookie-based solutions?
  • Oh post.. I first read it as "submit" ! :)
  • Note to CmdrTaco, Hemos, and Roblimo:

    If you break a story on a major security hole that most people don't know about on a weekend, most people are still not going to know about it.

    I realize that this is not your intent, but, keep in mind that this is one of the oldest tricks in the book at newspapers like the New York Times [nytimes.com]. When there's an unfavorable story about the Clinton Administration, quite often the Times waits until Saturday, when no one is reading the paper, to break it.

    You got 150 posts on this topic, but, I suggest you would have gotten a lot more on Monday. More importantly, lots more people would have assessed their exposure to the potential risks.
    --

    Dave Aiello

  • >It doesn't matter that Netscape doesn't know your
    >email address. If it checks your email, the hole
    >is there.

    It would need to know the email in some way to retrieve it, wouldn't it?

    >I send HTML email to you@you.com with an image at
    >the URL http://me.com/emailtrack/4321

    Ack. I'm intolerant of mime, let alone HTML. you send me HTML, I tell you to go away. And I certainly wouldn't use a client that would automatically open something . . .

    >My server says "oh, /emailtrack/4321 was sent to
    >you@you.com so now I'll put a cookie on that
    >machine that relates to you@you.com

    mmm, cookies. Junkbuster is hungry. There are exactly three sites allowed to set cookies . . .
  • I think the major deal is that cookies should only be held within a specific user agent's environment. The fact that the e-mail client in question *shares* the same environment with the web browser is perhaps what should be corrected.

    As far as I'm concerned, access to HTTP services from within an e-mail message should be a settable option. If you need access to images in an e-mail, attach them like normal file attachments and reference them with <a href="file://attachment1.gif">. If HTTP must be used, put each e-mail message in its own "sand box" so that state information (such as a cookie) is never shared between e-mail messages or between e-mail messages and web sites as browsed through a typical browser.

Duct tape is like the force. It has a light side, and a dark side, and it holds the universe together ... -- Carl Zwanzig

Working...