GrowlMail causes HTTP Request to hidden images

[James Bondo]

Summary:
In Mail.app, even with images turned off, mail.app still makes HTTP connections for the images. Since many spam messages have unique identifiers for the images to indicate if a mailbox is active or not, this leaks information to potential attackers about your email and IP addresses.
It only does this if GrowlMail is enabled.

Steps to reproduce:
In mail.app preferences, clear the checkbox for "Display remote images in HTML messages" under the viewing tab.
Start a network monitoring program such as wireshark.
Receive an HTML email that references remote images.

When mail.app receives the message and GrowlMail is enabled, it attempts a connection to the server requesting the image.
When mail.app receives the message but GrowlMail is disabled, then there is no connection to the image's hosting server.

Expected results:
I expect that no connection would be made to the server regardless of whether GrowlMail is enabled or disabled.

Notes:
This occurs with Growl 1.1.4. I haven't yet tried it with 1.1.5, but it appears that there are no relevant entries in the release notes.

[The_Tick]

When making bug reports, you should use the latest version of what you are reporting against, even if the release notes do not mention it.

That said, i don't know that there is much that we can do about this.

[boredzo]

Filed: https://bugs.launchpad.net/growl/+bug/388210

[mickeyc]

Even if you're not using growlmail, and you have "Display remote images in HTML messages" unchecked, Apple Mail still loads remote content from the video and audio html 5 tags. See: https://secure.grepular.com/blog/index. ... vacy-hole/