GrowlMail causes HTTP Request to hidden images

The Growl forums have moved to Google Groups, this forum is read only.
James Bondo
Harmless
Posts: 1
Joined: Tue Jun 16, 2009 8:46 pm

GrowlMail causes HTTP Request to hidden images

Postby James Bondo » Tue Jun 16, 2009 8:53 pm

Summary:
In Mail.app, even with images turned off, mail.app still makes HTTP connections for the images. Since many spam messages have unique identifiers for the images to indicate if a mailbox is active or not, this leaks information to potential attackers about your email and IP addresses.
It only does this if GrowlMail is enabled.

Steps to reproduce:
In mail.app preferences, clear the checkbox for "Display remote images in HTML messages" under the viewing tab.
Start a network monitoring program such as wireshark.
Receive an HTML email that references remote images.

When mail.app receives the message and GrowlMail is enabled, it attempts a connection to the server requesting the image.
When mail.app receives the message but GrowlMail is disabled, then there is no connection to the image's hosting server.

Expected results:
I expect that no connection would be made to the server regardless of whether GrowlMail is enabled or disabled.

Notes:
This occurs with Growl 1.1.4. I haven't yet tried it with 1.1.5, but it appears that there are no relevant entries in the release notes.

User avatar
The_Tick
Cocoaforge Admin
Posts: 4642
Joined: Thu Dec 02, 2004 6:06 am
Contact:

Re: GrowlMail causes HTTP Request to hidden images

Postby The_Tick » Tue Jun 16, 2009 9:44 pm

When making bug reports, you should use the latest version of what you are reporting against, even if the release notes do not mention it.

That said, i don't know that there is much that we can do about this.

User avatar
boredzo
Cocoaforge Admin
Posts: 796
Joined: Mon Dec 06, 2004 7:49 am
Contact:

Re: GrowlMail causes HTTP Request to hidden images

Postby boredzo » Wed Jun 17, 2009 12:41 am


mickeyc
Harmless
Posts: 1
Joined: Fri Oct 02, 2009 6:12 pm

Re: GrowlMail causes HTTP Request to hidden images

Postby mickeyc » Fri Oct 02, 2009 6:14 pm

Even if you're not using growlmail, and you have "Display remote images in HTML messages" unchecked, Apple Mail still loads remote content from the video and audio html 5 tags. See: https://secure.grepular.com/blog/index. ... vacy-hole/


Return to “Growl”

Who is online

Users browsing this forum: No registered users