Cookies are Security Hole in HTML Email

Richard Smith just keeps uncovering security holes. Today it's the Email Cookie Leak. By reading mail, you unknowingly register your email address in someone's database, and accept their cookie. Next time you browse their site, or a site they have banner ads or other GIFs on, you are essentially broadcasting your email address while you surf. As Smith points out, just wait until banner-ad companies start taking advantage of this. I repeat the suggestion I made in October: browsers (and all clients that speak HTTP) should reject cookies not sent with the page.

HTML mail ! for me

I have yet to find any problems with reading mail in pine or mail (mailx to some people). My favourite way is actually 'cat /var/spool/mail/`whoami` | less' - unless you have c^Hch^H^ha^H^ar^Hr you can't even make something bold there, let alone leave cookies :)

Anyhow, the point is that reading mail with special effects is proving to be more costly then its worth to those of us who value our privacy, and the general security of our email.

Though - ANSI bombs are possible in mailx :)

include "^[[10;1999]^[[11;1999]^G^[[12;1]^[[2J^[[1;1H^[[30 m^[[40m^^[[12;2]^[[2J^[[1;1H^[[30m^[[40m ^[[12;3]^[[2J^[[1;1H^[[30m^[[40m^[[12;4]^[[2J^[[1; 1H^[[30m^[[40m^[[12;5]^[[2J^[[1;1H^[[30m ^[[40m^[[12;6]^[[2J^[[1;1H^[[30m^[[40m[[31m^[[5m^[ [20;20HMAILX IS NO SAFER THEN NETSCAPE MAIL!!^[[K^G" in a message and open it with mailx or cat, (on a linux console). (Replace ^[ with \x1B or \33 or however else you want to put ESCape there, and ^G with control-G. All other ^ are the property of their respective control characters. :))

Don't^H^H^H^H try this at home!

From the article

From the article In Netscape Messenger, the GET request looks like: GET /sync.gif?email=john@doe.com HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.7 [en] (Win98; I)
Host: www.mybannerads.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Cookie: id=c643640a

Both the Email address and cookie value is included in the Outlook and Messenger GET requests. When the GET request is processed by the MyBannerAds server. It first extracts the customer id number from the cookie and looks it up its database of "anonymous" profiles of Web surfers. Once it has located the profile, it then extracts the Email address from the URL query string, turning a once "anonymous" profile into an "identified" profile.

So where does MyBannerAds get the Email addresses in first place to send out a message which includes the SYNC.GIF file? The answer is quite simple, they "rent" the Email addresses. Or more specifically, the rent space in junk Email messages that are already being sent out. The IMG tags typically take less than 100 bytes, so they can easily be embedded in messages that are part of any Email ad campaign that is using HTML Email messages.
Another interesting discusion about HTML Email and cookies can be found @: http://www.tiac.net/users/smiths /privacy/wbfaq.htm [tiac.net]

HTML, not HTTP

I'm glad we live in a world where Slashdot's YRO keeps us vigilant against the supposedly harmful effects of Internet society. I mean, if you think about it, there are many more Internet technologies that can, when used improperly, cause security violations on your system.

In this case, browsers simply need to be setup to function as individual components. The web browser should not have access to the same mechanisms as an e-mail client. HTML e-mail is different from loading a web page and should be treated as such. Cookies are not a part of HTML; they are a part of HTTP! The browsers shouldn't confuse the two. This isn't a problem with the implementations of cookies, this is a problem with the implementation of HTML e-mail and the web browser.

And the idea that loading cookies from only that page is ludicrous. The whole idea is to be able to give an entire site access to information so that you can do things on different pages with similar information without having to repeatedly ask for that information. There's nothing in the HTTP specification that makes this harmful. Someone simply didn't implement the specification properly so now clients can share cookie files, leading to a possible hidden exchange of data between them.

Re:Yes...

Go to freshmeat [freshmeat.net] and type in 'junkbuster'. :)

It's a personal filtering proxy that has the primary focus of replacing ad banners with a clear 1 square pixel gif image... it, however, has the added bonus of replacing your browser ID tag with something you specify (ie, you're a large corporation that has microsoft users inside, but externally, it looks like everyone is running netscape- great for image) as well as blocking cookies entirely from anyone you don't trust. Very cool software.

It has a windows port, a linux/unix port, and a MacOS port, and, if you just want to try it out, I believe there is a trial proxy server that you just specify in your netscape prefs.... last I checked it was purposely speed limited so that you would just install your own.

Best of all, it's free.

Privacy, not security

It's more of a privacy hole than a security hole (in the context that you used 'security').

People being able to acquire personal information and monitor your browsing habits without you knowing it doesn't increase the risk of them stealing your important files or sabotaging your network, it simply allows companies to violate Your Rights Online.

Proves the Address is Valid

Something I haven't seen anyone else mention (but then I browse at Score 2 :o) ), is that this does more than allows spammers to build up a profile of you and tie it to your email address. It also proves that the address is valid.

No longer will they have to rely on people following their "unsubscribe" instructions; merely reading the email will be enough to confirm that there is someone/something on the other end of the address they bought/harvested. They can then add the address to their list of confirmed active accounts - a pretty valuable thing to have, especially if you're in the business of selling addresses...

Tim